Creating the custom security context constraint for Watson Knowledge Catalog

The Watson Knowledge Catalog service requires a custom security context constraint (SCC).

If you plan to install the Watson Knowledge Catalog service, you must create the wkc-iis-scc security context constraint.

About this task

The Watson Knowledge Catalog SCC is created once and used by each instance of Watson Knowledge Catalog that you install.

Run the cpd-cli manage apply-scc command to:
  • Create the SCC.
  • Bind the SCC to the wkc-iis-sa service account in the projects where you plan to install Watson Knowledge Catalog.

    For example, if you plan to install Watson Knowledge Catalog in two projects, you must run the command twice to bind the SCC to the service account in each project.


Watson Knowledge Catalog SCC definition

allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: false
allowedCapabilities: null
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
  type: RunAsAny
kind: SecurityContextConstraints
metadata:
  annotations:
    kubernetes.io/description: WKC/IIS provides all features of the restricted SCC
      but runs as user 10032.
  name: wkc-iis-scc
readOnlyRootFilesystem: false
requiredDropCapabilities:
- KILL
- MKNOD
- SETUID
- SETGID
runAsUser:
  type: MustRunAs
  uid: 10032
seLinuxContext:
  type: MustRunAs
supplementalGroups:
  type: RunAsAny
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret
users:
- system:serviceaccount:cpd-instance:wkc-iis-sa

Procedure

To create the wkc-iis-scc SCC:

  1. Run the cpd-cli manage login-to-ocp command to log in to the cluster as a user with sufficient permissions to complete this task. For example:
    cpd-cli manage login-to-ocp \
    --username=${OCP_USERNAME} \
    --password=${OCP_PASSWORD} \
    --server=${OCP_URL}
    Tip: The login-to-ocp command takes the same input as the oc login command. Run oc login --help for details.
  2. Run the following command to create the SCC:
    cpd-cli manage apply-scc \
    --cpd_instance_ns=${PROJECT_CPD_INSTANCE} \
    --components=wkc
    Tip: If you want to preview the oc commands that the cpd-cli will issue on your behalf, you can run the command with --preview=true.

    The oc commands are saved to the preview.sh file in the cpd-cli-workspace/olm-utils-workspace/work directory.

  3. Optional: Add the wkc-iis-sa service account to the users section in the SCC by running the following command.

    This step is needed to successfully restore an offline backup of Cloud Pak for Data that contains Watson Knowledge Catalog to a different cluster. If you do not do this step, the command must be run prior to creating an offline backup.

    oc patch scc wkc-iis-scc --type=merge -p ‘{“users”:[“system:serviceaccount:${PROJECT_CPD_INSTANCE}:wkc-iis-sa”]}’
  4. Optional: If you want to isolate the containers that use the wkc-iis-scc SCC on specific worker nodes:
    1. Identify the nodes where you want to run the containers.
      A single node should be sufficient, but you can optionally allocate additional nodes for high availability in case of a node failure.
    2. For each node that you identify, run the following command:
      oc label node <NODE_NAME> wkc-privileged=wkc-privileged-node

      Replace <NODE_NAME> with the appropriate value for your cluster

Results

The wkc-iis-scc SCC is created if it doesn't exist and is bound to the wkc-iis-sa service account in the ${PROJECT_CPD_INSTANCE} project.
If you want to confirm that the wkc-iis-sa service account can use the wkc-iis-scc SCC, run:
oc adm policy who-can use scc wkc-iis-scc \
--namespace ${PROJECT_CPD_INSTANCE} | grep "wkc-iis-sa"