Creating custom security context constraints for services

Most IBM® Software Hub services use the restricted-v2 security context constraint (SCC) that is provided by Red Hat® OpenShift® Container Platform. However, if you plan to install certain IBM Software Hub services, you might need to create one or more custom SCCs.

Installation phase
  • You are not here. Setting up a client workstation
  • You are not here. Setting up a cluster
  • You are not here. Collecting required information
  • You are not here. Preparing to run installs in a restricted network
  • You are not here. Preparing to run installs from a private container registry
  • You are here icon. Preparing the cluster for IBM Software Hub
  • You are not here. Preparing to install an instance of IBM Software Hub
  • You are not here. Installing an instance of IBM Software Hub
  • You are not here. Setting up the control plane
  • You are not here. Installing solutions and services
Who needs to complete this task?
A cluster administrator must complete this task.
When do you need to complete this task?
You must complete this task before you install a service that uses a custom SCC.

The restricted-v2 SCC

Red Hat OpenShift Container Platform provides a set of predefined SCCs that control the actions that a pod can perform and what it can access. These SCCs can be used, modified, or extended by an administrator. By default, containers are granted access to the restricted-v2 SCC and have only the capabilities that are defined by the restricted-v2 SCC.

For more information, see Managing security context constraints in the Red Hat OpenShift Container Platform documentation:

When you install the IBM Software Hub control plane, the default service account is associated with the restricted-v2 SCC.

IBM Software Hub does not support the use of privileged SCCs in OpenShift.

Most IBM Software Hub services use the restricted-v2 SCC.

SCCs for IBM Cloud Pak foundational services

For information about the SCCs that are required by the IBM Cloud Pak foundational services, see Security context constraints in the IBM Cloud Pak foundational services documentation:

Custom SCCs

If you plan to install any of the following services, you might need to manually create the appropriate custom SCCs:

  • Data Product Hub
  • Data Virtualization
  • Db2
  • Db2 Big SQL
  • Db2 Warehouse
  • IBM Knowledge Catalog
  • IBM Knowledge Catalog Premium
  • IBM Knowledge Catalog Standard
  • Informix
  • OpenPages
Service Required SCCs
Data Product Hub
Data Product Hub uses an embedded Db2 database, which requires a custom SCC. The SCC is used only by the instance of Data Product Hub that embeds the Db2 database.

The required SCC is created automatically.

For details, see Creating the custom security context constraint for embedded Db2 databases.
Data Virtualization
Data Virtualization uses an embedded Db2 database, which requires a custom SCC. The SCC is used only by the instance of Data Virtualization that embeds the Db2 database.

The required SCC is created automatically.

For details, see Creating the custom security context constraint for embedded Db2 databases.
Db2
Db2 requires a custom SCC.

By default, the SCC is created automatically; however, you can choose to create the SCC manually.

For details, see Creating the custom security context constraint for Db2.
Db2 Big SQL
Db2 Big SQL uses an embedded Db2 database, which requires a custom SCC. The SCC is used only by the instance of Db2 Big SQL that embeds the Db2 database.

The required SCC is created automatically.

For details, see Creating the custom security context constraint for embedded Db2 databases.
Db2 Warehouse
Db2 Warehouse requires a custom SCC.

By default, the SCC is created automatically; however, you can choose to create the SCC manually.

For details, see Creating the custom security context constraint for Db2 Warehouse.
IBM Knowledge Catalog
IBM Knowledge Catalog uses an embedded Db2 database, which requires a custom SCC. The SCC is used only by the instance of IBM Knowledge Catalog that embeds the Db2 database.

The required SCC is created automatically.

For details, see Creating the custom security context constraint for embedded Db2 databases.
IBM Knowledge Catalog Premium
IBM Knowledge Catalog Premium uses an embedded Db2 database, which requires a custom SCC. The SCC is used only by the instance of IBM Knowledge Catalog Premium that embeds the Db2 database.

The required SCC is created automatically.

For details, see Creating the custom security context constraint for embedded Db2 databases.
IBM Knowledge Catalog Standard
IBM Knowledge Catalog Standard uses an embedded Db2 database, which requires a custom SCC. The SCC is used only by the instance of IBM Knowledge Catalog Standard that embeds the Db2 database.

The required SCC is created automatically.

For details, see Creating the custom security context constraint for embedded Db2 databases.
Informix

Informix requires a custom SCC.

You must create this SCC manually.

For details, see Creating the custom security context constraint for Informix.
OpenPages
The OpenPages service can optionally embed a Db2 database.

If you chose to use an embedded Db2 database, OpenPages requires a custom SCC for the Db2 database. The SCC is used only by the instance of OpenPages that embeds the Db2 database.

The required SCC is created automatically.

For details, see Creating the custom security context constraint for embedded Db2 databases.

If you choose to use an external database, the custom SCC is not required.
watsonx.governance™
If you install the OpenPages component of watsonx.governance, you can either:
  • Use an existing OpenPages service instance
  • Use the default OpenPages service instance that is created when you install watsonx.governance.

    The default OpenPages instance uses an embedded Db2 database.

    The embedded Db2 database requires a custom SCC, which is created automatically. For details, see Creating the custom security context constraint for embedded Db2 databases.