Skip to main contentIBM DataPower Operator Documentation

Running DataPower containers as root user

Custom SecurityContextConstraint

If the DataPower Operator is installed on OpenShift Container Platform (OCP), then a custom SecurityContextConstraint must be created to allow the runAsRoot functionality of the DataPower operand.

Copy the below YAML, and apply it to your OCP cluster as a prerequisite to enabling runAsRoot in the DataPowerService.

YAML

apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
annotations:
kubernetes.io/description: 'Custom SCC for running IBM DataPower Gateway pods as root user'
creationTimestamp: null
name: datapower-root
allowHostDirVolumePlugin: false
allowHostIPC: false

Apply

oc apply -f datapower-root.yaml

Service Account

The DataPower Operator will automatically configure the default Service Account to bind to the above datapower-root SCC if runAsRoot is enabled in the DataPowerService. However, if you are using a custom ServiceAccount (serviceAccountName), you must manually link this Service Account with the SCC.

oc adm policy add-scc-to-user datapower-root -z <your-service-account>