Custom security context constraints for services
Most Cloud Pak for Data
services use the restricted
security context constraint (SCC) that is provided by
Red Hat® OpenShift® Container Platform. However, if you plan to
install certain Cloud Pak for Data services, you might
need to use some custom SCCs.
OpenShift provides a set of predefined SCCs that control the actions that a pod can perform and what it can access. These SCCs can be used, modified, or extended by any administrator. By default, the execution of any container is granted access to the restricted SCC and only the capabilities that are defined by that SCC.
When you install Cloud Pak for Data services, the default service account is associated with the restricted SCC. Cloud Pak for Data does not support the use of privileged SCCs in OpenShift. However, some Cloud Pak for Data services might require custom SCCs, for example to support IPCs. For more information, see Security context constraints in the IBM® Cloud Platform Common Services documentation.
The following Cloud Pak for Data services use custom SCCs:
- Data Virtualization
- Db2®
- Db2 Big SQL
- Db2 Warehouse
- OpenPages®
- Watson™ Knowledge Catalog
If you plan to install Watson Knowledge Catalog, you must create the custom SCCs manually. If you have multiple copies of Cloud Pak for Data installed in different namespaces, you must create these SCCs one time for the cluster.
If you plan to install Db2 or Db2 Warehouse, the Db2 operator creates the custom SCC, service accounts, roles, and role bindings.
The Db2 Big SQL and Data Virtualization services embed Db2 and use the Db2 custom SCC.
The OpenPages service embeds Db2, but the custom SCC is used only if the OpenPages service instance is provisioned by using the internal database option. When the OpenPages service is provisioned by using a database outside the cluster, the custom SCC is not required.
For more information about basic security features in Cloud Pak for Data, see Basic security features on Red Hat OpenShift Container Platform.