Creating the custom security context constraint for embedded Db2 databases

Embedded Db2 databases require a custom security context constraint (SCC).

The following services use an embedded Db2 database:

  • Db2 Big SQL
  • OpenPages® (created only if you use an embedded instance of Db2)
  • Watson™ Knowledge Catalog
  • Watson Query

Each embedded Db2 database has its own SCC, and the embedded database is accessible only by the service or service instance that creates the database.

When you install a service that uses an embedded Db2 database, the appropriate SCC is created automatically.

The name of the SCC and the content of the SCC depend on the service that embeds the database.

Default SCC for Db2 Big SQL

The SCC is named <NAMESPACE>-c-bigsql-<SERVICE_INSTANCE_ID>-scc.

Contents of the Db2 Big SQL SCC 
allowHostDirVolumePlugin: true
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: true
allowedCapabilities:
- FOWNER
- SETGID
- SETUID
- CHOWN
- DAC_OVERRIDE
- SYS_RESOURCE
- IPC_OWNER
- SYS_NICE
- FSETID
- SETFCAP
- SETPCAP
- SYS_CHROOT
- KILL
- AUDIT_WRITE
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
  type: RunAsAny
groups: []
kind: SecurityContextConstraints
metadata:
  name: ${SCC_NAME}
priority: 10
readOnlyRootFilesystem: false
requiredDropCapabilities:
- ALL
runAsUser:
  type: RunAsAny
seLinuxContext:
  type: MustRunAs
supplementalGroups:
  type: RunAsAny
users:
- system:serviceaccount:${PROJECT_CPD_INST_OPERANDS}:${SERVICE_ACCOUNT}
volumes:
- '*'

Default SCC for OpenPages

An SCC is created only if you use an embedded Db2 database. It is not required if you use an external Db2 database with OpenPages.

The SCC is named <NAMESPACE>-c-db2oltp-<OPENPAGES_INSTANCE_ID>-scc.

Contents of the OpenPages SCC 
allowHostDirVolumePlugin: true
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: true
allowedCapabilities: []
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
  ranges:
  - max: 1000
    min: 1000
  type: MustRunAs
groups: []
kind: SecurityContextConstraints
metadata:
  name: ${SCC_NAME}
priority: null
readOnlyRootFilesystem: false
requiredDropCapabilities:
- KILL
- SETUID
- SETGID
- MKNOD
- ALL
runAsUser:
  type: RunAsAny
seLinuxContext:
  type: MustRunAs
supplementalGroups:
  type: RunAsAny
users:
- system:serviceaccount:${PROJECT_CPD_INST_OPERANDS}:${SERVICE_ACCOUNT}
volumes:
- configMap
- downwardAPI
- emptyDir
- hostPath
- persistentVolumeClaim
- projected
- secret

Default SCC for Watson Knowledge Catalog

The contents of the SCC depend on the privileges that Db2U runs with. For details, see Changing kernel parameter settings.

The SCC is named <NAMESPACE>-c-db2oltp-wkc-scc.

You do not change the kernel parameter settings 
allowHostDirVolumePlugin: true
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: true
allowedCapabilities: []
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
  ranges:
  - max: 1000
    min: 1000
  type: MustRunAs
groups: []
kind: SecurityContextConstraints
metadata:
  name: ${SCC_NAME}
priority: null
readOnlyRootFilesystem: false
requiredDropCapabilities:
- KILL
- SETUID
- SETGID
- MKNOD
- ALL
runAsUser:
  type: RunAsAny
seLinuxContext:
  type: MustRunAs
supplementalGroups:
  type: RunAsAny
users:
- system:serviceaccount:${PROJECT_CPD_INST_OPERANDS}:${SERVICE_ACCOUNT}
volumes:
- configMap
- downwardAPI
- emptyDir
- hostPath
- persistentVolumeClaim
- projected
- secret
You change the kernel parameter settings to allow Db2U to make unsafe sysctl changes 
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: false
allowPrivilegedContainer: false
allowedCapabilities: []
allowedUnsafeSysctls:
- kernel.shmmni
- kernel.shmmax
- kernel.shmall
- kernel.sem
- kernel.msgmni
- kernel.msgmax
- kernel.msgmnb
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
  ranges:
  - max: 1000
    min: 1000
  type: MustRunAs
groups: []
kind: SecurityContextConstraints
metadata:
  name: ${SCC_NAME}
priority: null
readOnlyRootFilesystem: false
requiredDropCapabilities:
- KILL
- SETUID
- SETGID
- MKNOD
- ALL
runAsUser:
  type: MustRunAs
  uid: 500
seLinuxContext:
  type: MustRunAs
supplementalGroups:
  type: RunAsAny
users:
- system:serviceaccount:${PROJECT_CPD_INST_OPERANDS}:${SERVICE_ACCOUNT}
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret

Default SCC for Watson Query

The SCC is named <NAMESPACE>-c-db2u-dv-scc.

Contents of the Watson Query SCC 
allowHostDirVolumePlugin: true
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: true
allowedCapabilities:
- FOWNER
- SETGID
- SETUID
- CHOWN
- DAC_OVERRIDE
- SYS_RESOURCE
- IPC_OWNER
- SYS_NICE
- FSETID
- SETFCAP
- SETPCAP
- SYS_CHROOT
- KILL
- AUDIT_WRITE
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
  type: RunAsAny
groups: []
kind: SecurityContextConstraints
metadata:
  name: ${SCC_NAME}
priority: 10
readOnlyRootFilesystem: false
requiredDropCapabilities:
- ALL
runAsUser:
  type: RunAsAny
seLinuxContext:
  type: MustRunAs
supplementalGroups:
  type: RunAsAny
users:
- system:serviceaccount:${PROJECT_CPD_INST_OPERANDS}:${SERVICE_ACCOUNT}
volumes:
- '*'