Creating custom security context constraints for services

Most Cloud Pak for Data services use the restricted security context constraint (SCC) that is provided by Red Hat® OpenShift® Container Platform. However, if you plan to install certain Cloud Pak for Data services, you might need to create one or more custom SCCs.

Installation phase
You are not here. Setting up a client workstation
You are not here. Collecting required information
You are here icon. Preparing your cluster
You are not here. Installing the Cloud Pak for Data platform and services
Who needs to complete this task?
A cluster administrator must complete this task.
When do you need to complete this task?
You must complete this task before you install a service that uses a custom SCC.

The restricted SCC

OpenShift provides a set of predefined SCCs that control the actions that a pod can perform and what it can access. These SCCs can be used, modified, or extended by an administrator. By default, containers are granted access to the restricted SCC and have only the capabilities that are defined by the restricted SCC. For more information, see Managing security context constraints in the Red Hat OpenShift Container Platform documentation:

When you install Cloud Pak for Data, the default service account is associated with the restricted SCC. Cloud Pak for Data does not support the use of privileged SCCs in OpenShift.

Most Cloud Pak for Data services use the restricted SCC.

SCCs for IBM Cloud Pak foundational services

For information about the SCCs that are required by the IBM Cloud Pak® foundational services, see Security context constraints in the IBM Cloud Pak foundational services documentation.

Custom SCCs

If you plan to install any of the following Cloud Pak for Data services, you might need to manually create the appropriate custom SCCs:

  • Db2®
  • Db2 Big SQL
  • Db2 Warehouse
  • Informix®
  • OpenPages®
  • Watson™ Knowledge Catalog
  • Watson Query
Service Required SCCs
Db2
Db2 requires a custom SCC.

By default, the SCC is created automatically; however, you can choose to create the SCC manually.

For details, see Creating the custom security context constraint for Db2.
Db2 Big SQL
Db2 Big SQL embeds an instance of Db2, which requires a custom SCC. This SCC is used only by the instance of Db2 Big SQL that embeds the Db2 database.

The required SCC is created automatically.

For details, see Creating the custom security context constraint for embedded Db2 databases.
Db2 Warehouse
Db2 Warehouse requires a custom SCC.

By default, the SCC is created automatically; however, you can choose to create the SCC manually.

For details, see Creating the custom security context constraint for Db2 Warehouse.
Informix

Informix requires a custom SCC.

You must create this SCC manually.

For details, see Creating the custom security context constraint for Informix.
OpenPages
The OpenPages service can optionally embed an instance of Db2.

If you chose to use an embedded instance of Db2, OpenPages requires a custom SCC for the Db2 database. This SCC is used only by the instance of OpenPages that embeds the Db2 database.

The required SCC is created automatically.

For details, see Creating the custom security context constraint for embedded Db2 databases.

If you choose to use an external database, the custom SCC is not required.
Watson Knowledge Catalog Watson Knowledge Catalog requires two custom SCCs:

If you install Data Privacy, the service uses the Watson Knowledge Catalog SCC.
Watson Query
Watson Query embeds an instance of Db2, which requires a custom SCC. This SCC is used only by the instance of Watson Query that embeds the Db2 database.

The required SCC is created automatically.

For details, see Creating the custom security context constraint for embedded Db2 databases.