Table of contents

Creating custom security context constraints for Watson Knowledge Catalog

The Watson Knowledge Catalog service requires the use of a custom security context constraint (SCC).

Custom SCCs for Watson Knowledge Catalog

Administrators can use security context constraints to control permissions for pods on their Red Hat OpenShift cluster. These permissions include actions that a pod can perform and what resources it can access. For Watson Knowledge Catalog, you must create a custom SCC.

Creating custom SCCs for Watson Knowledge Catalog

To create the SCC, complete the following steps:
  1. Define the SCC in the file wkc-iis-scc.yaml, as follows:

    allowHostDirVolumePlugin: false
    allowHostIPC: false
    allowHostNetwork: false
    allowHostPID: false
    allowHostPorts: false
    allowPrivilegeEscalation: true
    allowPrivilegedContainer: false
    allowedCapabilities: null
    apiVersion: security.openshift.io/v1
    defaultAddCapabilities: null
    fsGroup:
      type: RunAsAny
    kind: SecurityContextConstraints
    metadata:
      annotations:
        kubernetes.io/description: WKC/IIS provides all features of the restricted SCC
          but runs as user 10032.
      name: wkc-iis-scc
    readOnlyRootFilesystem: false
    requiredDropCapabilities:
    - KILL
    - MKNOD
    - SETUID
    - SETGID
    runAsUser:
      type: MustRunAs
      uid: 10032
    seLinuxContext:
      type: MustRunAs
    supplementalGroups:
      type: RunAsAny
    volumes:
    - configMap
    - downwardAPI
    - emptyDir
    - persistentVolumeClaim
    - projected
    - secret
    users:
    - system:serviceaccount:{{ namespace }}:wkc-iis-sa
    • Replace {{ namespace }} with the name of the Red Hat® OpenShift® project where you plan to install Watson Knowledge Catalog. For example, if you plan to install Watson Knowledge Catalog in the cpd-instance project, the system:service account entry would be:
      - system:serviceaccount:cpd-instance:wkc-iis-sa
    • If the custom SCC (wkc-iis-scc) exists in the environment, delete the custom SCC that already exists and create a new custom SCC by using the YAML file from this step. Use the following command to delete the custom SCC: oc delete scc wkc-iis-scc
  2. Run oc create to create the file:
    $ oc create -f <yaml_file_name.yaml>
    
  3. Run the following command to verify that the SCC was created:
    $ oc get scc wkc-iis-scc
    
  4. Create the SCC cluster role for wkc-iis-scc:
    oc create clusterrole system:openshift:scc:wkc-iis-scc --verb=use --resource=scc --resource-name=wkc-iis-scc
  5. Assign the wkc-iis-sa service account to the SCC cluster role:
    oc create rolebinding wkc-iis-scc-rb --clusterrole=system:openshift:scc:wkc-iis-scc --serviceaccount={{ namespace }}:wkc-iis-sa
  6. Confirm that the wkc-iis-sa service account can use the wkc-iis-scc SCC:
    oc adm policy who-can use scc wkc-iis-scc -n {{ namespace }} | grep "wkc-iis-sa"

For more information about SCCs, see Red Hat - Managing Security Context Constraints.