Creating custom security context constraints for services (Upgrading from Version 3.5 to Version 4.6)

Most Cloud Pak for Data services use the restricted security context constraint (SCC) that is provided by Red Hat® OpenShift® Container Platform. However, if you plan to upgrade certain Cloud Pak for Data services, you might need to create one or more custom SCCs.

The restricted SCC

OpenShift provides a set of predefined SCCs that control the actions that a pod can perform and what it can access. These SCCs can be used, modified, or extended by an administrator. By default, containers are granted access to the restricted SCC and have only the capabilities that are defined by the restricted SCC. For more information, see Managing security context constraints in the Red Hat OpenShift Container Platform documentation:

When you install Cloud Pak for Data, the default service account is associated with the restricted SCC. Cloud Pak for Data does not support the use of privileged SCCs in OpenShift.

Most Cloud Pak for Data services use the restricted SCC.

SCCs for IBM Cloud Pak foundational services

For information about the SCCs that are required by the IBM Cloud Pak® foundational services, see Security context constraints in the IBM Cloud Pak foundational services documentation.

Custom SCCs

If you plan to install any of the following Cloud Pak for Data services, you might need to manually create the appropriate custom SCCs:

  • Db2®
  • Db2 Big SQL
  • Db2 Warehouse
  • Informix®
  • OpenPages®
  • Watson™ Knowledge Catalog
  • Watson Query
Service Required SCCs
Db2
Db2 requires a custom SCC.

By default, the SCC is created automatically; however, you can choose to create the SCC manually.

For details, see Creating the custom security context constraint for Db2 (Upgrading from Version 3.5 to Version 4.6).

Db2 Big SQL
Db2 Big SQL embeds an instance of Db2, which requires a custom SCC. This SCC is used only by the instance of Db2 Big SQL that embeds the Db2 database.

The required SCC is created automatically.

For details, see Creating the custom security context constraint for embedded Db2 databases (Upgrading from Version 3.5 to Version 4.6).

Db2 Warehouse
Db2 Warehouse requires a custom SCC.

By default, the SCC is created automatically; however, you can choose to create the SCC manually.

For details, see Creating the custom security context constraint for Db2 Warehouse (Upgrading from Version 3.5 to Version 4.6).

Informix

Informix requires a custom SCC.

You must create this SCC manually.

For details, see Creating the custom security context constraint for Informix (Upgrading from Version 3.5 to Version 4.6).

OpenPages
The OpenPages service can optionally embed an instance of Db2.

If you chose to use an embedded instance of Db2, OpenPages requires a custom SCC for the Db2 database. This SCC is used only by the instance of OpenPages that embeds the Db2 database.

The required SCC is created automatically.

For details, see Creating the custom security context constraint for embedded Db2 databases (Upgrading from Version 3.5 to Version 4.6).

If you choose to use an external database, the custom SCC is not required.

Watson Knowledge Catalog Watson Knowledge Catalog requires two custom SCCs:
Watson Query
Watson Query embeds an instance of Db2, which requires a custom SCC. This SCC is used only by the instance of Watson Query that embeds the Db2 database.

The required SCC is created automatically.

For details, see Creating the custom security context constraint for embedded Db2 databases (Upgrading from Version 3.5 to Version 4.6).