Creating the custom security context constraint for embedded Db2 databases (Upgrading from Version 3.5 to Version 4.6)
Embedded Db2 databases require a custom security context constraint (SCC).
The following services use an embedded Db2 database:
- Db2 Big SQL
- OpenPages® (created only if you use an embedded instance of Db2)
- Watson™ Knowledge Catalog
- Watson Query
Each embedded Db2 database has its own SCC, and the embedded database is accessible only by the service or service instance that creates the database.
When you install a service that uses an embedded Db2 database, the appropriate SCC is created automatically.
The name of the SCC and the content of the SCC depend on the service that embeds the database.
Default SCC for Db2 Big SQL
The SCC is named
<NAMESPACE>-c-bigsql-<SERVICE_INSTANCE_ID>-scc
.
Contents of the Db2 Big SQL SCC
allowHostDirVolumePlugin: true
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: true
allowedCapabilities:
- FOWNER
- SETGID
- SETUID
- CHOWN
- DAC_OVERRIDE
- SYS_RESOURCE
- IPC_OWNER
- SYS_NICE
- FSETID
- SETFCAP
- SETPCAP
- SYS_CHROOT
- KILL
- AUDIT_WRITE
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
type: RunAsAny
groups: []
kind: SecurityContextConstraints
metadata:
name: ${SCC_NAME}
priority: 10
readOnlyRootFilesystem: false
requiredDropCapabilities:
- ALL
runAsUser:
type: RunAsAny
seLinuxContext:
type: MustRunAs
supplementalGroups:
type: RunAsAny
users:
- system:serviceaccount:${PROJECT_CPD_INSTANCE}:${SERVICE_ACCOUNT}
volumes:
- '*'
Default SCC for OpenPages
An SCC is created only if you use an embedded Db2 database. It is not required if you use an external Db2 database with OpenPages.
The SCC is named
<NAMESPACE>-c-db2oltp-<OPENPAGES_INSTANCE_ID>-scc
.
Contents of the OpenPages SCC
allowHostDirVolumePlugin: true
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: true
allowedCapabilities: []
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
ranges:
- max: 1000
min: 1000
type: MustRunAs
groups: []
kind: SecurityContextConstraints
metadata:
name: ${SCC_NAME}
priority: null
readOnlyRootFilesystem: false
requiredDropCapabilities:
- KILL
- SETUID
- SETGID
- MKNOD
- ALL
runAsUser:
type: RunAsAny
seLinuxContext:
type: MustRunAs
supplementalGroups:
type: RunAsAny
users:
- system:serviceaccount:${PROJECT_CPD_INSTANCE}:${SERVICE_ACCOUNT}
volumes:
- configMap
- downwardAPI
- emptyDir
- hostPath
- persistentVolumeClaim
- projected
- secret
Default SCC for Watson Knowledge Catalog
The contents of the SCC depend on the privileges that Db2U runs with. For details, see Changing kernel parameter settings (Upgrading from Version 3.5 to Version 4.6).
The SCC is named
<NAMESPACE>-c-db2oltp-wkc-scc
.
You do not change the kernel parameter settings
allowHostDirVolumePlugin: true
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: true
allowedCapabilities: []
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
ranges:
- max: 1000
min: 1000
type: MustRunAs
groups: []
kind: SecurityContextConstraints
metadata:
name: ${SCC_NAME}
priority: null
readOnlyRootFilesystem: false
requiredDropCapabilities:
- KILL
- SETUID
- SETGID
- MKNOD
- ALL
runAsUser:
type: RunAsAny
seLinuxContext:
type: MustRunAs
supplementalGroups:
type: RunAsAny
users:
- system:serviceaccount:${PROJECT_CPD_INSTANCE}:${SERVICE_ACCOUNT}
volumes:
- configMap
- downwardAPI
- emptyDir
- hostPath
- persistentVolumeClaim
- projected
- secret
You change the kernel parameter settings to allow Db2U to make unsafe sysctl changes
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: false
allowPrivilegedContainer: false
allowedCapabilities: []
allowedUnsafeSysctls:
- kernel.shmmni
- kernel.shmmax
- kernel.shmall
- kernel.sem
- kernel.msgmni
- kernel.msgmax
- kernel.msgmnb
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
ranges:
- max: 1000
min: 1000
type: MustRunAs
groups: []
kind: SecurityContextConstraints
metadata:
name: ${SCC_NAME}
priority: null
readOnlyRootFilesystem: false
requiredDropCapabilities:
- KILL
- SETUID
- SETGID
- MKNOD
- ALL
runAsUser:
type: MustRunAs
uid: 500
seLinuxContext:
type: MustRunAs
supplementalGroups:
type: RunAsAny
users:
- system:serviceaccount:${PROJECT_CPD_INSTANCE}:${SERVICE_ACCOUNT}
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret
Default SCC for Watson Query
The SCC is named <NAMESPACE>-c-db2u-dv-scc
.
Contents of the Watson Query SCC
allowHostDirVolumePlugin: true
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: true
allowedCapabilities:
- FOWNER
- SETGID
- SETUID
- CHOWN
- DAC_OVERRIDE
- SYS_RESOURCE
- IPC_OWNER
- SYS_NICE
- FSETID
- SETFCAP
- SETPCAP
- SYS_CHROOT
- KILL
- AUDIT_WRITE
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
type: RunAsAny
groups: []
kind: SecurityContextConstraints
metadata:
name: ${SCC_NAME}
priority: 10
readOnlyRootFilesystem: false
requiredDropCapabilities:
- ALL
runAsUser:
type: RunAsAny
seLinuxContext:
type: MustRunAs
supplementalGroups:
type: RunAsAny
users:
- system:serviceaccount:${PROJECT_CPD_INSTANCE}:${SERVICE_ACCOUNT}
volumes:
- '*'