Manually creating the custom security context constraint for Db2 Warehouse
If you don't want to allow the Db2
Warehouse service to automatically
create the security context constraint, you can manually create the SCC. The SCC that you create is
determined by whether you plan change the node settings to allow Db2U to make unsafe sysctl
changes
and whether you are creating an SMP database or an MPP database.
By default, Db2 Warehouse uses a privileged Init Container to set the kernel parameters. If you want OpenShift® Sysctls to set the kernel parameters, see Deploying Db2 Warehouse with limited privileges. The SCC spec in step 5 depends on this choice.
- Installation phase
- Setting up a client workstation
- Who needs to complete this task?
- A cluster administrator must complete this task.
- When do you need to complete this task?
- Complete this task only if you don't want to allow the service to automatically create the SCC.
Before you begin
Ensure that you source the environment variables before you run the commands in this task.
Determine whether you plan to change the node settings
to allow Db2U to make unsafe
sysctl
changes.
Procedure
- Set the following environment variables.Note: The commands use the
${PROJECT_CPD_INSTANCE}
project to identify the project where you will create the service instance that uses the SCC.- Set
SCC_NAME
to the name that you want to use for the SCC:export
SCC_NAME
=<scc-name> - Set
SERVICE_ACCOUNT
to the name of the service account that you want to bind the SCC to:export
SERVICE_ACCOUNT
=<sa-name> - Set
ROLE_NAME
to the name of the role that will be referenced by the role binding:export
ROLE_NAME
=<role-name> - Set
ROLEBINDING_NAME
to the name of the role binding that will be used to bind the service account to the SCC:export
ROLEBINDING_NAME
=<role-name> - Set
PROJECT_CPD_INSTANCE
to the project namespace in which the Db2 Warehouse service is installed:export
PROJECT_CPD_INSTANCE
=<namespace>
- Set
- Create the service
account:
cat <<EOF |oc apply -f - apiVersion: v1 kind: ServiceAccount metadata: name: ${
SERVICE_ACCOUNT
} namespace: ${PROJECT_CPD_INSTANCE} EOF - Create the
role:
cat <<EOF |oc apply -f - apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: ${
ROLE_NAME
} namespace: ${PROJECT_CPD_INSTANCE} rules: - apiGroups: - "" resources: - endpoints - pods verbs: - get - patch - update - apiGroups: - apps resources: - StatefulSets - deployments - replicasets verbs: - get - list - apiGroups: - "" resources: - configmaps verbs: - get - patch - watch - list - update - apiGroups: - "" resources: - secrets verbs: - get - create - update - apiGroups: - db2u.databases.ibm.com resources: - recipes verbs: - watch - get - update - create - patch - list - delete - apiGroups: - db2u.databases.ibm.com resources: - buckets verbs: - patch - apiGroups: - db2u.databases.ibm.com resources: - backups verbs: - patch - delete - list - apiGroups: - db2u.databases.ibm.com resources: - formations verbs: - get - apiGroups: - "" resources: - pods/exec verbs: - create - apiGroups: - "" resources: - pods verbs: - watch - list - get - apiGroups: - "" resources: - services verbs: - watch - list - get EOF - Create the role
binding:
cat <<EOF |oc apply -f - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: ${
ROLEBINDING_NAME
} namespace: ${PROJECT_CPD_INSTANCE} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: ${ROLE_NAME
} subjects: - kind: ServiceAccount name: ${SERVICE_ACCOUNT
} namespace: ${PROJECT_CPD_INSTANCE} EOF - Create the SCC:
- SMP databases
-
You do not change the node settings
cat <<EOF |oc apply -f - allowHostDirVolumePlugin: true allowHostIPC: false allowHostNetwork: false allowHostPID: false allowHostPorts: false allowPrivilegeEscalation: true allowPrivilegedContainer: true allowedCapabilities: - FOWNER - SETGID - SETUID - CHOWN - DAC_OVERRIDE - SYS_RESOURCE - IPC_OWNER - SYS_NICE - FSETID - SETFCAP - SETPCAP - SYS_CHROOT - KILL - AUDIT_WRITE apiVersion: security.openshift.io/v1 defaultAddCapabilities: null fsGroup: type: RunAsAny groups: [] kind: SecurityContextConstraints metadata: name: ${SCC_NAME} priority: 10 readOnlyRootFilesystem: false requiredDropCapabilities: - ALL runAsUser: type: RunAsAny seLinuxContext: type: MustRunAs supplementalGroups: type: RunAsAny users: - system:serviceaccount:${PROJECT_CPD_INSTANCE}:${SERVICE_ACCOUNT} volumes: - '*' EOF
You change the node settings to allow Db2U to make unsafe sysctl changes
cat <<EOF |oc apply -f - allowHostDirVolumePlugin: false allowHostIPC: false allowHostNetwork: false allowHostPID: false allowHostPorts: false allowPrivilegeEscalation: true allowPrivilegedContainer: false allowedCapabilities: - FOWNER - SETGID - SETUID - CHOWN - DAC_OVERRIDE - SYS_RESOURCE - IPC_OWNER - SYS_NICE - FSETID - SETFCAP - SETPCAP - SYS_CHROOT - KILL - AUDIT_WRITE allowedUnsafeSysctls: - kernel.shmmni - kernel.shmmax - kernel.shmall - kernel.sem - kernel.msgmni - kernel.msgmax - kernel.msgmnb apiVersion: security.openshift.io/v1 defaultAddCapabilities: null fsGroup: type: RunAsAny groups: [] kind: SecurityContextConstraints metadata: name: ${SCC_NAME} priority: 10 readOnlyRootFilesystem: false requiredDropCapabilities: - ALL runAsUser: type: MustRunAsNonRoot seLinuxContext: type: MustRunAs supplementalGroups: type: RunAsAny users: - system:serviceaccount:${PROJECT_CPD_INSTANCE}:${SERVICE_ACCOUNT} volumes: - '*' EOF
- MPP databases
-
You do not change the node settings
cat <<EOF |oc apply -f - allowHostDirVolumePlugin: true allowHostIPC: true allowHostNetwork: false allowHostPID: false allowHostPorts: true allowPrivilegeEscalation: true allowPrivilegedContainer: true allowedCapabilities: - FOWNER - SETGID - SETUID - CHOWN - DAC_OVERRIDE - SYS_RESOURCE - IPC_OWNER - SYS_NICE - FSETID - SETFCAP - SETPCAP - SYS_CHROOT - KILL - AUDIT_WRITE apiVersion: security.openshift.io/v1 defaultAddCapabilities: null fsGroup: type: RunAsAny groups: [] kind: SecurityContextConstraints metadata: name: ${SCC_NAME} priority: 10 readOnlyRootFilesystem: false requiredDropCapabilities: - ALL runAsUser: type: RunAsAny seLinuxContext: type: MustRunAs supplementalGroups: type: RunAsAny users: - system:serviceaccount:${PROJECT_CPD_INSTANCE}:${SERVICE_ACCOUNT} volumes: - '*' EOF
You change the node settings to allow Db2U to make unsafe sysctl changes
cat <<EOF |oc apply -f - allowHostDirVolumePlugin: false allowHostIPC: true allowHostNetwork: false allowHostPID: false allowHostPorts: true allowPrivilegeEscalation: true allowPrivilegedContainer: false allowedCapabilities: - FOWNER - SETGID - SETUID - CHOWN - DAC_OVERRIDE - SYS_RESOURCE - IPC_OWNER - SYS_NICE - FSETID - SETFCAP - SETPCAP - SYS_CHROOT - KILL - AUDIT_WRITE apiVersion: security.openshift.io/v1 defaultAddCapabilities: null fsGroup: type: RunAsAny groups: [] kind: SecurityContextConstraints metadata: name: ${SCC_NAME} priority: 10 readOnlyRootFilesystem: false requiredDropCapabilities: - ALL runAsUser: type: MustRunAsNonRoot seLinuxContext: type: MustRunAs supplementalGroups: type: RunAsAny users: - system:serviceaccount:${PROJECT_CPD_INSTANCE}:${SERVICE_ACCOUNT} volumes: - '*' EOF