From 3911375b42c1bec75c648f581586488cf6f51bf7 Mon Sep 17 00:00:00 2001
From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com>
Date: Thu, 8 Aug 2024 12:04:02 -0400
Subject: [PATCH] feat(openshit): document sccs (#647)

* feat(openshit): document sccs

* scc update

* Update modules/ROOT/pages/kubernetes/openshift.adoc

Co-authored-by: Andrew Kenworthy <andrew.kenworthy@stackable.de>

---------

Co-authored-by: Andrew Kenworthy <andrew.kenworthy@stackable.de>
---
 modules/ROOT/pages/kubernetes/openshift.adoc | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/modules/ROOT/pages/kubernetes/openshift.adoc b/modules/ROOT/pages/kubernetes/openshift.adoc
index 03f785c52..c94da38a3 100644
--- a/modules/ROOT/pages/kubernetes/openshift.adoc
+++ b/modules/ROOT/pages/kubernetes/openshift.adoc
@@ -43,3 +43,11 @@ spec:
       - name: WATCH_NAMESPACE
         value: kafka-namespace
 ----
+
+== Security context constraints
+
+Starting with the release version `24.7.0`, all products run with the `nonroot-v2` security context constraints (SCC) on OpenShift. This security context is used by the product's cluster role.
+
+Operators (with two exceptions) don't request a specific SCC to run with. Usually OpenShift will select the `restricted` or `restricted-v2` SCC unless the cluster admins have specifically assigned a different one to the namespace where the operators are running.
+The two exceptions are the secret and the listener operators. These need additional permissions not available in the `restricted` SCCs to propagate volume mounts to the requesting pods.
+