diff --git a/modules/ROOT/pages/kubernetes/openshift.adoc b/modules/ROOT/pages/kubernetes/openshift.adoc
index 03f785c52..c94da38a3 100644
--- a/modules/ROOT/pages/kubernetes/openshift.adoc
+++ b/modules/ROOT/pages/kubernetes/openshift.adoc
@@ -43,3 +43,11 @@ spec:
       - name: WATCH_NAMESPACE
         value: kafka-namespace
 ----
+
+== Security context constraints
+
+Starting with the release version `24.7.0`, all products run with the `nonroot-v2` security context constraints (SCC) on OpenShift. This security context is used by the product's cluster role.
+
+Operators (with two exceptions) don't request a specific SCC to run with. Usually OpenShift will select the `restricted` or `restricted-v2` SCC unless the cluster admins have specifically assigned a different one to the namespace where the operators are running.
+The two exceptions are the secret and the listener operators. These need additional permissions not available in the `restricted` SCCs to propagate volume mounts to the requesting pods.
+