Creating custom security context constraints for services
Most Cloud Pak for Data
services use the restricted
security context constraint (SCC) that is provided by
Red Hat®
OpenShift® Container Platform. However, if you plan to
install certain Cloud Pak for Data services, you might
need to create one or more custom SCCs.
- Installation phase
- Setting up a client workstation
- Who needs to complete this task?
- A cluster administrator must complete this task.
- When do you need to complete this task?
- You must complete this task before you install a service that uses a custom SCC.
The restricted
SCC
restricted
SCC and have only the capabilities that are defined by the
restricted
SCC. For more information, see Managing security context
constraints in the Red Hat
OpenShift Container Platform
documentation: - Version 4.8
4.6.0 - 4.6.2 only
- Version 4.10
4.6.x
- Version 4.12
4.6.4 or later
When you install Cloud Pak for Data, the default
service account is associated with the restricted
SCC. Cloud Pak for Data does not support the use of privileged SCCs in
OpenShift.
Most Cloud Pak for Data services use the
restricted
SCC.
SCCs for IBM Cloud Pak foundational services
For information about the SCCs that are required by the IBM Cloud Pak® foundational services, see Security context constraints in the IBM Cloud Pak foundational services documentation.
Custom SCCs
If you plan to install any of the following Cloud Pak for Data services, you might need to manually create the appropriate custom SCCs:
- Db2®
- Db2 Big SQL
- Db2 Warehouse
- Informix®
- OpenPages®
- Watson™ Knowledge Catalog
- Watson Query
Service | Required SCCs |
---|---|
Db2 |
Db2 requires a custom
SCC.
By default, the SCC is created automatically; however, you can choose to create the SCC manually. For details, see Creating the custom security context constraint for Db2. |
Db2 Big SQL |
Db2 Big
SQL embeds an
instance of Db2, which requires a custom
SCC. This SCC is used only by the instance of Db2 Big
SQL that embeds the Db2 database.
The required SCC is created automatically. For details, see Creating the custom security context constraint for embedded Db2 databases. |
Db2 Warehouse |
Db2
Warehouse
requires a custom SCC.
By default, the SCC is created automatically; however, you can choose to create the SCC manually. For details, see Creating the custom security context constraint for Db2 Warehouse. |
Informix |
Informix requires a custom SCC. You must create this SCC manually. For details, see Creating the custom security context constraint for Informix. |
OpenPages |
The OpenPages
service can optionally embed an instance of Db2.
If you chose to use an embedded instance of Db2, OpenPages requires a custom SCC for the Db2 database. This SCC is used only by the instance of OpenPages that embeds the Db2 database. The required SCC is created automatically. For details, see Creating the custom security context constraint for embedded Db2 databases. If you choose to use an external database, the custom SCC is not required. |
Watson Knowledge Catalog | Watson Knowledge
Catalog requires two custom SCCs:
If you install Data Privacy, the service uses the Watson Knowledge Catalog SCC. |
Watson Query |
Watson
Query embeds an
instance of Db2, which requires a custom
SCC. This SCC is used only by the instance of Watson
Query that embeds the Db2 database.
The required SCC is created automatically. For details, see Creating the custom security context constraint for embedded Db2 databases. |