feat(openshit): document sccs (#647)

* feat(openshit): document sccs * scc update * Update modules/ROOT/pages/kubernetes/openshift.adoc Co-authored-by: Andrew Kenworthy <andrew.kenworthy@stackable.de> --------- Co-authored-by: Andrew Kenworthy <andrew.kenworthy@stackable.de>
stackabletech · Aug 8, 2024 · 3911375 · 3911375
1 parent cc278d7
commit 3911375
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/modules/ROOT/pages/kubernetes/openshift.adoc b/modules/ROOT/pages/kubernetes/openshift.adoc
@@ -43,3 +43,11 @@ spec:
       - name: WATCH_NAMESPACE
         value: kafka-namespace
 ----
+
+== Security context constraints
+
+Starting with the release version `24.7.0`, all products run with the `nonroot-v2` security context constraints (SCC) on OpenShift. This security context is used by the product's cluster role.
+
+Operators (with two exceptions) don't request a specific SCC to run with. Usually OpenShift will select the `restricted` or `restricted-v2` SCC unless the cluster admins have specifically assigned a different one to the namespace where the operators are running.
+The two exceptions are the secret and the listener operators. These need additional permissions not available in the `restricted` SCCs to propagate volume mounts to the requesting pods.
+