Creating the custom security context constraint for Watson Knowledge Catalog
The Watson Knowledge Catalog service requires a custom security context constraint (SCC).
If you plan to install the Watson Knowledge
Catalog
service, you must create the wkc-iis-scc
security context constraint.
About this task
The Watson Knowledge Catalog SCC is created once and used by each instance of Watson Knowledge Catalog that you install.
Run the
cpd-cli
manage
apply-scc
command to:- Create the SCC.
- Bind the SCC to the
wkc-iis-sa
service account in the projects where you plan to install Watson Knowledge Catalog.For example, if you plan to install Watson Knowledge Catalog in two projects, you must run the command twice to bind the SCC to the service account in each project.
Watson Knowledge Catalog SCC definition
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: false
allowedCapabilities: null
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
type: RunAsAny
kind: SecurityContextConstraints
metadata:
annotations:
kubernetes.io/description: WKC/IIS provides all features of the restricted SCC
but runs as user 10032.
name: wkc-iis-scc
readOnlyRootFilesystem: false
requiredDropCapabilities:
- KILL
- MKNOD
- SETUID
- SETGID
runAsUser:
type: MustRunAs
uid: 10032
seLinuxContext:
type: MustRunAs
supplementalGroups:
type: RunAsAny
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret
users:
- system:serviceaccount:cpd-instance:wkc-iis-sa
Procedure
To create the wkc-iis-scc
SCC:
Results
wkc-iis-scc
SCC is created if it doesn't exist and is
bound to the wkc-iis-sa
service account in the ${PROJECT_CPD_INSTANCE}
project. If you want to confirm that the
wkc-iis-sa
service account can use the wkc-iis-scc
SCC,
run:oc adm policy who-can use scc wkc-iis-scc \
--namespace ${PROJECT_CPD_INSTANCE} | grep "wkc-iis-sa"