manage apply-scc

Create a custom SCC for the specified component and bind it to a service account in the Cloud Pak for Data control plane namespace.

Extended description

Restriction: Currently, this command applies only to the wkc component.
Custom SCC for Watson™ Knowledge Catalog
The cpd-cli manage apply-scc command creates the wkc-iis-scc security context constraint and binds it to the wkc-iis-sa service account.

You must run this command in each project where you plan to install Watson Knowledge Catalog.


Watson Knowledge Catalog SCC definition

allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: false
allowedCapabilities: null
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
  type: RunAsAny
kind: SecurityContextConstraints
metadata:
  annotations:
    kubernetes.io/description: WKC/IIS provides all features of the restricted SCC
      but runs as user 10032.
  name: wkc-iis-scc
readOnlyRootFilesystem: false
requiredDropCapabilities:
- KILL
- MKNOD
- SETUID
- SETGID
runAsUser:
  type: MustRunAs
  uid: 10032
seLinuxContext:
  type: MustRunAs
supplementalGroups:
  type: RunAsAny
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret
users:
- system:serviceaccount:cpd-instance:wkc-iis-sa

Syntax

cpd-cli manage apply-scc \
--cpd_instance_ns=<project-name> \
--components=<component-name>
[--preview=true|false] \
[-v][-vv][-vvv]

Arguments

The apply-scc command has no arguments.

Options

Option Description
--cpd_instance_ns The project (namespace) where IBM Cloud Pak® for Data is installed.
Status
Required.
Syntax
--cpd_instance_ns=<project-name>
Default value
No default. User-defined.
Valid values
The project (namespace) where IBM Cloud Pak for Data is installed.
--components The component for which you want to create the custom SCC.
Restriction: Currently, this command applies only to the wkc component.
Status
Required.
Syntax
--components=<component-name>
Default value
No default. You must specify the component name.
Valid values
wkc
--preview Preview the commands that run when you issue this CLI command.

The command issues a series of oc commands. You can optionally see the list of oc commands that are associated with the command.

The oc commands are saved to the preview.sh file in the cpd-cli-workspace/olm-utils-workspace/work directory.

Status
Optional.
Syntax
--preview=true|false
Default value
false

If you omit this option, the default value is used.

Valid values
false
Run the commands to apply the changes to your cluster.
true
Preview the commands without running them.

You can optionally copy the oc commands from the output and run them yourself. However, this method is not recommended. When you run the commands manually, you do not have access to the additional helper scripts that are included in the underlying Ansible® playbook.

-v
-vv
-vvv
Display verbose output.

Options are listed from least verbose to the most verbose.

Status
Optional.
Syntax
Verbose output
-v
Very verbose output
-vv
Most verbose output
-vvv
Default value
Not applicable.
Valid values
Not applicable.

Examples

Note: The following example uses the recommended installation environment variables.

Use a script to create environment variables with the correct values for your environment. For details, see Best practice: Setting up install variables.

Create the SCC for Watson Knowledge Catalog
cpd-cli manage apply-scc \
--cpd_instance_ns=${PROJECT_CPD_INSTANCE} \
--components=wkc
Preview the oc commands to create the SCC for Watson Knowledge Catalog
cpd-cli manage apply-scc \
--cpd_instance_ns=${PROJECT_CPD_INSTANCE} \
--components=wkc \
--preview=true