Security Context Constraints

All instances in IBM Cloud Pak® for Integration run in the default restricted Security Context Constraint (SCC) that comes with OpenShift, except for High-speed transfer server, which requires an additional privilege.

SCC for High-speed transfer server

The IBM Aspera HSTS operator creates a custom SCC called ibm-aspera-hsts-restricted-hostport for each instance that is deployed. This SCC is bound to the instance's ServiceAccount by using RBAC.

The SCC is identical to the default restricted SCC that is included in OpenShift, except that the allowHostPorts setting is enabled, as is required for HSTS networking.

kind: SecurityContextConstraints
allowHostPorts: true
requiredDropCapabilities:
  - KILL
  - MKNOD
  - SETUID
  - SETGID
allowPrivilegedContainer: false
runAsUser:
  type: MustRunAsRange
users: []
allowHostDirVolumePlugin: false
allowHostIPC: false
seLinuxContext:
  type: MustRunAs
readOnlyRootFilesystem: false
metadata:
  annotations:
    kubernetes.io/description: >-
      denies access to all host features except hostport and requires pods to be
      run with a UID, and SELinux context that are allocated to the namespace.
  name: ibm-aspera-hsts-restricted-hostport
fsGroup:
  type: MustRunAs
groups: []
defaultAddCapabilities: null
supplementalGroups:
  type: RunAsAny
volumes:
  - configMap
  - downwardAPI
  - emptyDir
  - persistentVolumeClaim
  - projected
  - secret
allowHostPID: false
allowHostNetwork: false
allowPrivilegeEscalation: true
apiVersion: security.openshift.io/v1
allowedCapabilities: null