Manually creating the custom security context constraint for Db2

Important: IBM Cloud Pak for Data Version 4.6 will reach end of support (EOS) on 31 July, 2025. For more information, see the Discontinuance of service announcement for IBM Cloud Pak for Data Version 4.X.

Upgrade to IBM Software Hub Version 5.1 before IBM Cloud Pak for Data Version 4.6 reaches end of support. For more information, see Upgrading IBM Software Hub in the IBM Software Hub Version 5.1 documentation.

If you don't want to allow the Db2 service to automatically create the security context constraint (SCC), you can manually create it. The SCC that you create is determined by whether you plan to change the node settings to allow Db2U to make unsafe sysctl changes.

By default, Db2 uses a privileged Init Container to set the kernel parameters. If you want OpenShift® Sysctls to set the kernel parameters, see Deploying Db2 with limited privileges. The SCC spec in step 5 depends on this choice.

Installation phase
You are not here. Setting up a client workstation
You are not here. Collecting required information
You are here icon. Preparing your cluster
You are not here. Installing the Cloud Pak for Data platform and services
Who needs to complete this task?
A cluster administrator must complete this task.
When do you need to complete this task?
Complete this task only if you don't want to allow the service to automatically create the SCC.

Before you begin

Best practice: You can run many of the commands in this task exactly as written if you set up environment variables for your installation. For instructions, see Setting up installation environment variables.

Ensure that you source the environment variables before you run the commands in this task.

Determine whether you plan to change the node settings to allow Db2U to make unsafe sysctl changes.

Procedure

  1. Set the following environment variables.
    Note: The commands use the ${PROJECT_CPD_INSTANCE} project to identify the project where you will create the service instance that uses the SCC.
    1. Set SCC_NAME to the name that you want to use for the SCC:
      export SCC_NAME=<scc-name>
    2. Set SERVICE_ACCOUNT to the name of the service account that you want to bind the SCC to:
      export SERVICE_ACCOUNT=<sa-name>
    3. Set ROLE_NAME to the name of the role that will be referenced by the role binding:
      export ROLE_NAME=<role-name>
    4. Set ROLEBINDING_NAME to the name of the role binding that will be used to bind the service account to the SCC:
      export ROLEBINDING_NAME=<role-name>
    5. Set PROJECT_CPD_INSTANCE to the project namespace in which the Db2 service is installed:
      export PROJECT_CPD_INSTANCE=<namespace>
  2. Create the service account:
    cat <<EOF |oc apply -f -
apiVersion: v1
kind: ServiceAccount
metadata:
  name: ${SERVICE_ACCOUNT}
  namespace: ${PROJECT_CPD_INSTANCE}
EOF
  3. Create the role:
    cat <<EOF |oc apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: ${ROLE_NAME}
  namespace: ${PROJECT_CPD_INSTANCE}
rules:
- apiGroups:
  - ""
  resources:
  - endpoints
  - pods
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - apps
  resources:
  - StatefulSets
  - deployments
  - replicasets
  verbs:
  - get
  - list
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - get
  - patch
  - watch
  - list
  - update
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
  - create
  - update
- apiGroups:
  - db2u.databases.ibm.com
  resources:
  - recipes
  verbs:
  - watch
  - get
  - update
  - create
  - patch
  - list
  - delete
- apiGroups:
  - db2u.databases.ibm.com
  resources:
  - buckets
  verbs:
  - patch
- apiGroups:
  - db2u.databases.ibm.com
  resources:
  - backups
  verbs:
  - patch
  - delete
  - list
- apiGroups:
  - db2u.databases.ibm.com
  resources:
  - formations
  verbs:
  - get
- apiGroups:
  - ""
  resources:
  - pods/exec
  verbs:
  - create
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - watch
  - list
  - get
- apiGroups:
  - ""
  resources:
  - services
  verbs:
  - watch
  - list
  - get
EOF
  4. Create the role binding:
    cat <<EOF |oc apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: ${ROLEBINDING_NAME}
  namespace: ${PROJECT_CPD_INSTANCE}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: ${ROLE_NAME}
subjects:
- kind: ServiceAccount
  name: ${SERVICE_ACCOUNT}
  namespace: ${PROJECT_CPD_INSTANCE}
EOF
  5. Create the SCC:
    You do not change the node settings 
    cat <<EOF |oc apply -f -
allowHostDirVolumePlugin: true
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: true
allowedCapabilities:
- FOWNER
- SETGID
- SETUID
- CHOWN
- DAC_OVERRIDE
- SYS_RESOURCE
- IPC_OWNER
- SYS_NICE
- FSETID
- SETFCAP
- SETPCAP
- SYS_CHROOT
- KILL
- AUDIT_WRITE
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
  type: RunAsAny
groups: []
kind: SecurityContextConstraints
metadata:
  name: ${SCC_NAME}
priority: 10
readOnlyRootFilesystem: false
requiredDropCapabilities:
- ALL
runAsUser:
  type: RunAsAny
seLinuxContext:
  type: MustRunAs
supplementalGroups:
  type: RunAsAny
users:
- system:serviceaccount:${PROJECT_CPD_INSTANCE}:${SERVICE_ACCOUNT}
volumes:
- '*'
EOF
    You change the node settings to allow Db2U to make unsafe sysctl changes 
    cat <<EOF |oc apply -f -
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: false
allowedCapabilities:
- FOWNER
- SETGID
- SETUID
- CHOWN
- DAC_OVERRIDE
- SYS_RESOURCE
- IPC_OWNER
- SYS_NICE
- FSETID
- SETFCAP
- SETPCAP
- SYS_CHROOT
- KILL
- AUDIT_WRITE
allowedUnsafeSysctls:
- kernel.shmmni
- kernel.shmmax
- kernel.shmall
- kernel.sem
- kernel.msgmni
- kernel.msgmax
- kernel.msgmnb
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
  type: RunAsAny
groups: []
kind: SecurityContextConstraints
metadata:
  name: ${SCC_NAME}
priority: 10
readOnlyRootFilesystem: false
requiredDropCapabilities:
- ALL
runAsUser:
  type: MustRunAsNonRoot
seLinuxContext:
  type: MustRunAs
supplementalGroups:
  type: RunAsAny
users:
- system:serviceaccount:${PROJECT_CPD_INSTANCE}:${SERVICE_ACCOUNT}
volumes:
- '*'
EOF

What to do next

You must take steps outside of the Cloud Pak for Data web console to prepare for deploying Db2. See Specifying a custom service account, SCC, role, and role binding before deploying Db2.