Manually creating the custom security context constraint for Db2
If you don't want to allow the Db2 service to automatically create the security context constraint (SCC), you can manually create
it. The SCC that you create is determined by whether you plan to change the node settings to allow
Db2U to make unsafe sysctl
changes.
By default, Db2 uses a privileged Init Container to set the kernel parameters. If you want OpenShift® Sysctls to set the kernel parameters, see Deploying Db2 with limited privileges. The SCC spec in step 5 depends on this choice.
- Installation phase
-
Setting up a client workstation- Setting up a cluster
- Collecting required information
- Preparing to run installs in a restricted network
- Preparing to run installs from a private container registry
Preparing the cluster for Cloud Pak for Data- Preparing to install an instance of Cloud Pak for Data
- Installing an instance of Cloud Pak for Data
- Setting up the Cloud Pak for Data control
plane
- Installing solutions and services
- Who needs to complete this task?
- A cluster administrator must complete this task.
- When do you need to complete this task?
- Complete this task only if you don't want to allow the service to automatically create the SCC.
Before you begin
Best practice: You can run many of the
commands in this task exactly as written if you set up environment variables for your installation.
For instructions, see Setting up installation environment variables.
Ensure that you source the environment variables before you run the commands in this task.
Determine whether you plan to change the node settings
to allow Db2U to make unsafe
sysctl changes.
Procedure
- Set the following environment variables.Note: The commands use the
${PROJECT_CPD_INST_OPERANDS}project to identify the project where you will create the service instance that uses the SCC.- Set
SCC_NAMEto the name that you want to use for the SCC:exportSCC_NAME=<scc-name> - Set
SERVICE_ACCOUNTto the name of the service account that you want to bind the SCC to:exportSERVICE_ACCOUNT=<sa-name> - Set
ROLE_NAMEto the name of the role that will be referenced by the role binding:exportROLE_NAME=<role-name> - Set
ROLEBINDING_NAMEto the name of the role binding that will be used to bind the service account to the SCC:exportROLEBINDING_NAME=<role-name> - Set
PROJECT_CPD_INST_OPERANDSto the project namespace in which the Db2 service is installed:exportPROJECT_CPD_INST_OPERANDS=<namespace>
- Set
- Create the service
account:
cat <<EOF |oc apply -f - apiVersion: v1 kind: ServiceAccount metadata: name: ${SERVICE_ACCOUNT} namespace: ${PROJECT_CPD_INST_OPERANDS} EOF - Create the
role:
cat <<EOF |oc apply -f - apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: ${ROLE_NAME} namespace: ${PROJECT_CPD_INST_OPERANDS} rules: - apiGroups: - "" resources: - endpoints - pods verbs: - get - patch - update - apiGroups: - apps resources: - StatefulSets - deployments - replicasets verbs: - get - list - apiGroups: - "" resources: - configmaps verbs: - get - patch - watch - list - update - apiGroups: - "" resources: - secrets verbs: - get - create - update - apiGroups: - db2u.databases.ibm.com resources: - recipes verbs: - watch - get - update - create - patch - list - delete - apiGroups: - db2u.databases.ibm.com resources: - buckets verbs: - patch - apiGroups: - db2u.databases.ibm.com resources: - backups verbs: - patch - delete - list - apiGroups: - db2u.databases.ibm.com resources: - formations verbs: - get - apiGroups: - "" resources: - pods/exec verbs: - create - apiGroups: - "" resources: - pods verbs: - watch - list - get - apiGroups: - "" resources: - services verbs: - watch - list - get EOF - Create the role
binding:
cat <<EOF |oc apply -f - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: ${ROLEBINDING_NAME} namespace: ${PROJECT_CPD_INST_OPERANDS} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: ${ROLE_NAME} subjects: - kind: ServiceAccount name: ${SERVICE_ACCOUNT} namespace: ${PROJECT_CPD_INST_OPERANDS} EOF - Create the SCC:
You do not change the node settings
cat <<EOF |oc apply -f - allowHostDirVolumePlugin: true allowHostIPC: false allowHostNetwork: false allowHostPID: false allowHostPorts: false allowPrivilegeEscalation: true allowPrivilegedContainer: true allowedCapabilities: - FOWNER - SETGID - SETUID - CHOWN - DAC_OVERRIDE - SYS_RESOURCE - IPC_OWNER - SYS_NICE - FSETID - SETFCAP - SETPCAP - SYS_CHROOT - KILL - AUDIT_WRITE apiVersion: security.openshift.io/v1 defaultAddCapabilities: null fsGroup: type: RunAsAny groups: [] kind: SecurityContextConstraints metadata: name: ${SCC_NAME} priority: 10 readOnlyRootFilesystem: false requiredDropCapabilities: - ALL runAsUser: type: RunAsAny seLinuxContext: type: MustRunAs supplementalGroups: type: RunAsAny users: - system:serviceaccount:${PROJECT_CPD_INST_OPERANDS}:${SERVICE_ACCOUNT} volumes: - '*' EOF
You change the node settings to allow Db2U to make unsafe sysctl changes
cat <<EOF |oc apply -f - allowHostDirVolumePlugin: false allowHostIPC: false allowHostNetwork: false allowHostPID: false allowHostPorts: false allowPrivilegeEscalation: true allowPrivilegedContainer: false allowedCapabilities: - FOWNER - SETGID - SETUID - CHOWN - DAC_OVERRIDE - SYS_RESOURCE - IPC_OWNER - SYS_NICE - FSETID - SETFCAP - SETPCAP - SYS_CHROOT - KILL - AUDIT_WRITE allowedUnsafeSysctls: - kernel.shmmni - kernel.shmmax - kernel.shmall - kernel.sem - kernel.msgmni - kernel.msgmax - kernel.msgmnb apiVersion: security.openshift.io/v1 defaultAddCapabilities: null fsGroup: type: RunAsAny groups: [] kind: SecurityContextConstraints metadata: name: ${SCC_NAME} priority: 10 readOnlyRootFilesystem: false requiredDropCapabilities: - ALL runAsUser: type: MustRunAsNonRoot seLinuxContext: type: MustRunAs supplementalGroups: type: RunAsAny users: - system:serviceaccount:${PROJECT_CPD_INST_OPERANDS}:${SERVICE_ACCOUNT} volumes: - '*' EOF
What to do next
You must prepare to deploy Db2. See Specifying a custom service account, SCC, role, and role binding before deploying Db2.