Recipe: Testing Restricted Policies with OpenShift and the IBM FHIR Server Schema Tool

Docker: ibmcom/ibm-fhir-schematool supports onboarding and offboarding of a schema in support of the IBM FHIR Server. I am working on a project that runs on OpenShift using CodeReadyContainers, and I needed to test the image with a restricted policy.

Note, these are roughly my notes from testing, and converted to a post.


  1. Start up Code Ready Containers or create your OpenShift environment.

  2. Connect to the Docker registry in CRC

docker login -u kubeadmin -p $(oc whoami -t) default-route-openshift-image-registry.apps-crc.testing
  1. Build your Docker image with a new tag
docker build . -t default/ibm-fhir-schematool:latest
docker push default/ibm-fhir-schematool:latest
  1. Login to OpenShift
oc login -u $(oc whoami) -p $(oc whoami -t)
  1. Create a new persistence.json using one of the examples as a template
oc create secret generic persistence-json --from-file=persistence-onboard-example.json -n=default
  1. Add the restricted policy to the developer user.
oc adm policy add-scc-to-user restricted developer
  1. Add the developer user to the default namespace.
oc adm policy add-role-to-user edit developer -n=default
  1. Make the locak registry lookup use relative names
oc set image-lookup  --all
  1. Create a new pod.yaml
apiVersion: v1
kind: Pod
  name: ibm-fhir-server-schematool
    - name: test-container
      image: default/ibm-fhir-schematool
        - name: ENV_TOOL_INPUT
              name: persistence-json
              key: persistence-onboard-example.json
  1. Create the pod.
oc apply -f pod.yaml --as=developer  -n=default
  1. Check the logs, and you should see a successful run.
oc logs pod/ibm-fhir-server-schematool


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.