Enabling security context constraint

Ensure that you enable the restricted security context constraint or anyuid security context constraint for the service account that is used for deployment of IBM® Sterling Intelligent Promising on Red Hat® OpenShift® Container Platform. If you use restricted security context constraint, the UID range in the namespace must be within the specified range that is 1000/100.

Procedure

  1. Run the following command to enable the security context constraint.
    oc adm policy add-scc-to-user <name_of_SCC> -z <service_account_name> -n <namespace>

    The value for <name_of_SCC> can be a restricted security context constraint or anyuid security context constraint. Use the restricted security context constraint.

  2. If you use the restricted security context constraint, ensure that the UID range in the namespace is within the specified range that is 1000/100.

    To change the range for a namespace, use either command-line interface or Red Hat OpenShift Container Platform.

    In the Red Hat OpenShift Container Platform console, complete the following steps.

    1. From the side navigation menu, go to Home > Search.
    2. Go to Resources tab and search for a namespace.
    3. From the search results, select the namespace that you want to change the range of.
    4. Go to the YAML tab and update the following two annotations to change the user range in that namespace.
      openshift.io/sa.scc.supplemental-groups: 1000/100
      openshift.io/sa.scc.uid-range: 1000/100
    Alternatively, use the command-line tool, oc, and run the following command.
    oc annotate namespace <sip_namespace> openshift.io/sa.scc.supplemental-groups=1000/100 --overwrite=true 
    oc annotate namespace <sip_namespace> openshift.io/sa.scc.uid-range=1000/100 --overwrite=true