Manually creating the custom security context constraint for Db2 Warehouse

If you don't want to allow the Db2 Warehouse service to automatically create the security context constraint, you can manually create the SCC. The SCC that you create is determined by whether you plan change the node settings to allow Db2U to make unsafe sysctl changes and whether you are creating an SMP database or an MPP database.

By default, Db2 Warehouse uses a privileged Init Container to set the kernel parameters. If you want OpenShift® Sysctls to set the kernel parameters, see Deploying Db2 Warehouse with limited privileges. The SCC spec in step 5 depends on this choice.

Installation phase
You are not here. Setting up a client workstation
You are not here. Collecting required information
You are here icon. Preparing your cluster
You are not here. Installing the Cloud Pak for Data platform and services
Who needs to complete this task?
A cluster administrator must complete this task.
When do you need to complete this task?
Complete this task only if you don't want to allow the service to automatically create the SCC.

Before you begin

Best practice: You can run many of the commands in this task exactly as written if you set up environment variables for your installation. For instructions, see Setting up installation environment variables.

Ensure that you source the environment variables before you run the commands in this task.

Determine whether you plan to change the node settings to allow Db2U to make unsafe sysctl changes.

Procedure

  1. Set the following environment variables.
    Note: The commands use the ${PROJECT_CPD_INSTANCE} project to identify the project where you will create the service instance that uses the SCC.
    1. Set SCC_NAME to the name that you want to use for the SCC:
      export SCC_NAME=<scc-name>
    2. Set SERVICE_ACCOUNT to the name of the service account that you want to bind the SCC to:
      export SERVICE_ACCOUNT=<sa-name>
    3. Set ROLE_NAME to the name of the role that will be referenced by the role binding:
      export ROLE_NAME=<role-name>
    4. Set ROLEBINDING_NAME to the name of the role binding that will be used to bind the service account to the SCC:
      export ROLEBINDING_NAME=<role-name>
    5. Set PROJECT_CPD_INSTANCE to the project namespace in which the Db2 Warehouse service is installed:
      export PROJECT_CPD_INSTANCE=<namespace>
  2. Create the service account:
    cat <<EOF |oc apply -f -
    apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: ${SERVICE_ACCOUNT}
      namespace: ${PROJECT_CPD_INSTANCE}
    EOF
  3. Create the role:
    cat <<EOF |oc apply -f -
    apiVersion: rbac.authorization.k8s.io/v1
    kind: Role
    metadata:
      name: ${ROLE_NAME}
      namespace: ${PROJECT_CPD_INSTANCE}
    rules:
    - apiGroups:
      - ""
      resources:
      - endpoints
      - pods
      verbs:
      - get
      - patch
      - update
    - apiGroups:
      - apps
      resources:
      - StatefulSets
      - deployments
      - replicasets
      verbs:
      - get
      - list
    - apiGroups:
      - ""
      resources:
      - configmaps
      verbs:
      - get
      - patch
      - watch
      - list
      - update
    - apiGroups:
      - ""
      resources:
      - secrets
      verbs:
      - get
      - create
      - update
    - apiGroups:
      - db2u.databases.ibm.com
      resources:
      - recipes
      verbs:
      - watch
      - get
      - update
      - create
      - patch
      - list
      - delete
    - apiGroups:
      - db2u.databases.ibm.com
      resources:
      - buckets
      verbs:
      - patch
    - apiGroups:
      - db2u.databases.ibm.com
      resources:
      - backups
      verbs:
      - patch
      - delete
      - list
    - apiGroups:
      - db2u.databases.ibm.com
      resources:
      - formations
      verbs:
      - get
    - apiGroups:
      - ""
      resources:
      - pods/exec
      verbs:
      - create
    - apiGroups:
      - ""
      resources:
      - pods
      verbs:
      - watch
      - list
      - get
    - apiGroups:
      - ""
      resources:
      - services
      verbs:
      - watch
      - list
      - get
    EOF
  4. Create the role binding:
    cat <<EOF |oc apply -f -
    apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
      name: ${ROLEBINDING_NAME}
      namespace: ${PROJECT_CPD_INSTANCE}
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: Role
      name: ${ROLE_NAME}
    subjects:
    - kind: ServiceAccount
      name: ${SERVICE_ACCOUNT}
      namespace: ${PROJECT_CPD_INSTANCE}
    EOF
  5. Create the SCC:
    SMP databases

    You do not change the node settings
    cat <<EOF |oc apply -f -
    allowHostDirVolumePlugin: true
    allowHostIPC: false
    allowHostNetwork: false
    allowHostPID: false
    allowHostPorts: false
    allowPrivilegeEscalation: true
    allowPrivilegedContainer: true
    allowedCapabilities:
    - FOWNER
    - SETGID
    - SETUID
    - CHOWN
    - DAC_OVERRIDE
    - SYS_RESOURCE
    - IPC_OWNER
    - SYS_NICE
    - FSETID
    - SETFCAP
    - SETPCAP
    - SYS_CHROOT
    - KILL
    - AUDIT_WRITE
    apiVersion: security.openshift.io/v1
    defaultAddCapabilities: null
    fsGroup:
      type: RunAsAny
    groups: []
    kind: SecurityContextConstraints
    metadata:
      name: ${SCC_NAME}
    priority: 10
    readOnlyRootFilesystem: false
    requiredDropCapabilities:
    - ALL
    runAsUser:
      type: RunAsAny
    seLinuxContext:
      type: MustRunAs
    supplementalGroups:
      type: RunAsAny
    users:
    - system:serviceaccount:${PROJECT_CPD_INSTANCE}:${SERVICE_ACCOUNT}
    volumes:
    - '*'
    EOF

    You change the node settings to allow Db2U to make unsafe sysctl changes
    cat <<EOF |oc apply -f -
    allowHostDirVolumePlugin: false
    allowHostIPC: false
    allowHostNetwork: false
    allowHostPID: false
    allowHostPorts: false
    allowPrivilegeEscalation: true
    allowPrivilegedContainer: false
    allowedCapabilities:
    - FOWNER
    - SETGID
    - SETUID
    - CHOWN
    - DAC_OVERRIDE
    - SYS_RESOURCE
    - IPC_OWNER
    - SYS_NICE
    - FSETID
    - SETFCAP
    - SETPCAP
    - SYS_CHROOT
    - KILL
    - AUDIT_WRITE
    allowedUnsafeSysctls:
    - kernel.shmmni
    - kernel.shmmax
    - kernel.shmall
    - kernel.sem
    - kernel.msgmni
    - kernel.msgmax
    - kernel.msgmnb
    apiVersion: security.openshift.io/v1
    defaultAddCapabilities: null
    fsGroup:
      type: RunAsAny
    groups: []
    kind: SecurityContextConstraints
    metadata:
      name: ${SCC_NAME}
    priority: 10
    readOnlyRootFilesystem: false
    requiredDropCapabilities:
    - ALL
    runAsUser:
      type: MustRunAsNonRoot
    seLinuxContext:
      type: MustRunAs
    supplementalGroups:
      type: RunAsAny
    users:
    - system:serviceaccount:${PROJECT_CPD_INSTANCE}:${SERVICE_ACCOUNT}
    volumes:
    - '*'
    EOF

    MPP databases

    You do not change the node settings
    cat <<EOF |oc apply -f -
    allowHostDirVolumePlugin: true
    allowHostIPC: true
    allowHostNetwork: false
    allowHostPID: false
    allowHostPorts: true
    allowPrivilegeEscalation: true
    allowPrivilegedContainer: true
    allowedCapabilities:
    - FOWNER
    - SETGID
    - SETUID
    - CHOWN
    - DAC_OVERRIDE
    - SYS_RESOURCE
    - IPC_OWNER
    - SYS_NICE
    - FSETID
    - SETFCAP
    - SETPCAP
    - SYS_CHROOT
    - KILL
    - AUDIT_WRITE
    apiVersion: security.openshift.io/v1
    defaultAddCapabilities: null
    fsGroup:
      type: RunAsAny
    groups: []
    kind: SecurityContextConstraints
    metadata:
      name: ${SCC_NAME}
    priority: 10
    readOnlyRootFilesystem: false
    requiredDropCapabilities:
    - ALL
    runAsUser:
      type: RunAsAny
    seLinuxContext:
      type: MustRunAs
    supplementalGroups:
      type: RunAsAny
    users:
    - system:serviceaccount:${PROJECT_CPD_INSTANCE}:${SERVICE_ACCOUNT}
    volumes:
    - '*'
    EOF

    You change the node settings to allow Db2U to make unsafe sysctl changes
    cat <<EOF |oc apply -f -
    allowHostDirVolumePlugin: false
    allowHostIPC: true
    allowHostNetwork: false
    allowHostPID: false
    allowHostPorts: true
    allowPrivilegeEscalation: true
    allowPrivilegedContainer: false
    allowedCapabilities:
    - FOWNER
    - SETGID
    - SETUID
    - CHOWN
    - DAC_OVERRIDE
    - SYS_RESOURCE
    - IPC_OWNER
    - SYS_NICE
    - FSETID
    - SETFCAP
    - SETPCAP
    - SYS_CHROOT
    - KILL
    - AUDIT_WRITE
    apiVersion: security.openshift.io/v1
    defaultAddCapabilities: null
    fsGroup:
      type: RunAsAny
    groups: []
    kind: SecurityContextConstraints
    metadata:
      name: ${SCC_NAME}
    priority: 10
    readOnlyRootFilesystem: false
    requiredDropCapabilities:
    - ALL
    runAsUser:
      type: MustRunAsNonRoot
    seLinuxContext:
      type: MustRunAs
    supplementalGroups:
      type: RunAsAny
    users:
    - system:serviceaccount:${PROJECT_CPD_INSTANCE}:${SERVICE_ACCOUNT}
    volumes:
    - '*'
    EOF

What to do next

You must take steps outside of the Cloud Pak for Data web console to prepare for deploying Db2 Warehouse. See Specifying a custom service account, SCC, role, and role binding before deploying Db2 Warehouse.