Annotating IBM Software Hub projects (namespaces) to enable embedded Db2 databases to use the `restricted-v2` SCC

If you plan to install OpenPages on this instance of IBM Software Hub, you can annotate any tethered projects where you plan to create service instances so that the embedded Db2 database can run with the restricted-v2 security context constraint (SCC).

Restriction: If you want to use the restricted-v2 SCC, you must provision the service instance by using the cpd-cli or the REST API. You cannot specify the restricted-v2 SCC from the user interface.

Installation phase

Setting up a client workstation
Setting up a cluster
Collecting required information
Preparing to run installs in a restricted network
Preparing to run installs from a private container registry
Preparing the cluster for IBM Software Hub
Preparing to install an instance of IBM Software Hub
Installing an instance of IBM Software Hub
Setting up the control plane
Installing solutions and services

Who needs to complete this task?

Cluster administrator You must be a cluster administrator to annotate projects.

When do you need to complete this task?

This task is optional.

Complete this task only if all of the following statements are true:

You plan to install one of the following services on this instance of IBM Software Hub:
- OpenPages
You plan to create the service instance in a tethered project.
You plan to use an embedded Db2 database.
You want to use the restricted-v2 SCC rather than the custom SCC for embedded Db2 databases.

Before you begin

The tethered project or projects where you plan to create service instances must exist.

Best practice: You can run the commands in this task exactly as written if you set up environment variables. For instructions, see Setting up installation environment variables.

Ensure that you source the environment variables before you run the commands in this task.

About this task

By default, Db2U runs with root privileges (also referred to as elevated privileges).

If you want to run Db2U without root privileges, you can use one of the following methods to limit the privileges that Db2U has:

You can change the kernel parameter settings so that Db2U runs with non-root privileges. For more information see Changing kernel parameter settings.
You can annotate the projects where you plan to create OpenPages service instances so that the embedded Db2 database runs with permissions granted by the restricted-v2 SCC.
This option is more restrictive than running Db2U with non-root privileges.

If you want to use the restricted-v2 security context constraint, you must annotate the project to overwrite the default values for:

Supplemental groups
UID ranges
Multi-category security (MCS)

Procedure

To annotate the projects:

Log in to Red Hat OpenShift Container Platform as a cluster administrator.
```
${OC_LOGIN}
```
Annotate the tethered project where you plan to create the service instance:
```
oc annotate namespace ${PROJECT_CPD_INSTANCE_TETHERED} \
--overwrite openshift.io/sa.scc.supplemental-groups=1001000000/10000 openshift.io/sa.scc.uid-range=1001000000/10000 openshift.io/sa.scc.mcs=s0:c27,c512
```
Repeat this step for each tethered project where you plan to create an OpenPages service instance.
Tip: If you set the PROJECT_CPD_INSTANCE_TETHERED_LIST environment variable, print the list of tethered projects to the terminal:
```
echo $PROJECT_CPD_INSTANCE_TETHERED_LIST
```
Use this information to set the PROJECT_CPD_INSTANCE_TETHERED environment variable before you re-run the oc annotate namespace command.

What to do next

Now that you've annotated the projects where you plan to create OpenPages service instances, you're ready to complete Enabling Analytics Engine powered by Apache Spark to pre-pull Spark images to cluster nodes.