Manually creating an SCC, service account, role, and role binding
If you do not want Db2 or Db2 Warehouse to automatically create custom Security Context Constraints (SCC) when you deploy the service on Red Hat OpenShift, you can manually create the SCC, service account, role, and role binding within your OpenShift cluster.
Before you begin
Define the following parameters in OpenShift®:
- SCC_NAME
- PROJECT
- SERVICE_ACCOUNT
- ROLE_NAME
- ROLEBINDING_NAME
When you run the commands below, the values that you assign to these parameters are used in the
commands in place of ${SCC_NAME}, ${PROJECT}, ${SERVICE_ACCOUNT}, ${ROLE_NAME}, and
${ROLEBINDING_NAME}.
For more information, see Managing security context constraints and Understanding and creating service accounts in the OpenShift documentation.
About this task
Creating the SCC and service account prior to deploying Db2 or Db2 Warehouse gives you full control over the security specifications. The following procedure shows you how to create the required objects in two ways:
- Privileged account without enabling unsafe sysctls
- Limited privileged account with unsafe sysctls enabled
Note: If you are deploying on a Kubernetes cluster without Red Hat OpenShift, see Setting service accounts and role-based access
control on Kubernetes.
Procedure
Run one of the following commands to create either a privileged account or unprivileged
account:
- Privileged account without enabling unsafe
sysctls
oc apply -n ${PROJECT} -f - <<EOF apiVersion: v1 kind: ServiceAccount metadata: name: ${SERVICE_ACCOUNT} namespace: ${PROJECT} EOF oc apply -n ${PROJECT} -f - <<EOF apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: ${ROLE_NAME} namespace: ${PROJECT} rules: - apiGroups: - "" resources: - endpoints - pods verbs: - get - patch - update - apiGroups: - apps resources: - statefulsets - deployments - replicasets verbs: - get - list - apiGroups: - "" resources: - configmaps verbs: - get - patch - watch - list - update - apiGroups: - "" resources: - secrets verbs: - get - create - update - apiGroups: - db2u.databases.ibm.com resources: - recipes verbs: - watch - get - update - create - patch - list - delete - apiGroups: - db2u.databases.ibm.com resources: - buckets verbs: - patch - apiGroups: - db2u.databases.ibm.com resources: - backups verbs: - patch - delete - list - apiGroups: - db2u.databases.ibm.com resources: - formations verbs: - get - apiGroups: - "" resources: - pods/exec verbs: - create - apiGroups: - "" resources: - pods verbs: - watch - list - get - apiGroups: - "" resources: - services verbs: - watch - list - get EOF oc apply -n ${PROJECT} -f - <<EOF apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: ${ROLEBINDING_NAME} namespace: ${PROJECT} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: ${ROLE_NAME} subjects: - kind: ServiceAccount name: ${SERVICE_ACCOUNT} namespace: ${PROJECT} EOF oc apply -n ${PROJECT} -f - <<EOF allowHostDirVolumePlugin: true allowHostIPC: false allowHostNetwork: false allowHostPID: false allowHostPorts: false allowPrivilegeEscalation: true allowPrivilegedContainer: true allowedCapabilities: [] apiVersion: security.openshift.io/v1 defaultAddCapabilities: null fsGroup: ranges: - max: 1000 min: 1000 type: MustRunAs groups: [] kind: SecurityContextConstraints metadata: name: ${SCC_NAME} priority: null readOnlyRootFilesystem: false requiredDropCapabilities: - KILL - SETUID - SETGID - MKNOD - ALL runAsUser: type: RunAsAny seLinuxContext: type: MustRunAs supplementalGroups: type: RunAsAny users: - system:serviceaccount:${PROJECT}:${SERVICE_ACCOUNT} volumes: - configMap - downwardAPI - emptyDir - hostPath - persistentVolumeClaim - projected - secret EOF - Limited privileged account with unsafe sysctls
enabled
oc apply -n ${PROJECT} -f - <<EOF apiVersion: v1 kind: ServiceAccount metadata: name: ${SERVICE_ACCOUNT} namespace: ${PROJECT} EOF oc apply -n ${PROJECT} -f - <<EOF apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: ${ROLE_NAME} namespace: zen rules: - apiGroups: - "" resources: - endpoints - pods verbs: - get - patch - update - apiGroups: - apps resources: - statefulsets - deployments - replicasets verbs: - get - list - apiGroups: - "" resources: - configmaps verbs: - get - patch - watch - list - update - apiGroups: - "" resources: - secrets verbs: - get - create - update - apiGroups: - db2u.databases.ibm.com resources: - recipes verbs: - watch - get - update - create - patch - list - delete - apiGroups: - db2u.databases.ibm.com resources: - buckets verbs: - patch - apiGroups: - db2u.databases.ibm.com resources: - backups verbs: - patch - delete - list - apiGroups: - db2u.databases.ibm.com resources: - formations verbs: - get - apiGroups: - "" resources: - pods/exec verbs: - create - apiGroups: - "" resources: - pods verbs: - watch - list - get - apiGroups: - "" resources: - services verbs: - watch - list - get EOF oc apply -n ${PROJECT} -f - <<EOF apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: ${ROLEBINDING_NAME} namespace: ${PROJECT} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: ${ROLE_NAME} subjects: - kind: ServiceAccount name: ${SERVICE_ACCOUNT} namespace: ${PROJECT} EOF oc apply -n ${PROJECT} -f - <<EOF allowHostDirVolumePlugin: false allowHostIPC: false allowHostNetwork: false allowHostPID: false allowHostPorts: false allowPrivilegeEscalation: false allowPrivilegedContainer: false allowedCapabilities: [] allowedUnsafeSysctls: - kernel.shmmni - kernel.shmmax - kernel.shmall - kernel.sem - kernel.msgmni - kernel.msgmax - kernel.msgmnb apiVersion: security.openshift.io/v1 defaultAddCapabilities: null fsGroup: ranges: - max: 1000 min: 1000 type: MustRunAs groups: [] kind: SecurityContextConstraints metadata: name: zen-c-db2u-oltp-restr-scc priority: null readOnlyRootFilesystem: false requiredDropCapabilities: - KILL - SETUID - SETGID - MKNOD - ALL runAsUser: type: MustRunAs uid: 500 seLinuxContext: type: MustRunAs supplementalGroups: type: RunAsAny users: - system:serviceaccount:${PROJECT}:${SERVICE_ACCOUNT} volumes: - configMap - downwardAPI - emptyDir - persistentVolumeClaim - projected - secret EOF