fix: added openshift details in nim k8s docs

Chetan-99 · web-flow · commit 8d91945845f5 · 2025-06-30T16:38:36.000+05:30
diff --git a/content/nim/deploy/kubernetes/deploy-using-helm.md b/content/nim/deploy/kubernetes/deploy-using-helm.md
@@ -565,6 +565,14 @@ openshift:
 
 This ensures pods can run with the user IDs required by NGINX Instance Manager services.
 
+{{< note >}} The NIM deployment on OpenShift has been tested with OpenShift v4.13.0 Server. {{< /note >}}
+
+### How OpenShift handles security constraints
+
+When `openshift.enabled: true` is set in the `values.yaml` file, the NGINX Instance Manager deployment automatically creates a **custom [Security Context Constraints](https://docs.redhat.com/en/documentation/openshift_container_platform/4.13/html/authentication_and_authorization/managing-pod-security-policies) (SCCs)** and links it to the Service Account used by all pods.
+
+By default, OpenShift enforces strict security policies that require containers to run as **non-root** users. The NGINX Instance Manager deployment needs specific user IDs (UIDs) for certain services, such as **1000** for `nms` and **101** for `nginx` and `clickhouse`. Since the default SCCs do not allow these UIDs, a **custom SCC** is created. This ensures that the deployment can run with the necessary permissions while maintaining OpenShift’s security standards. The custom SCC allows these UIDs by setting the `runAsUser` field, which controls which users can run containers.
+
 {{< call-out "note" "Note" >}}
 If you see permission errors during deployment, your user account might not have access to manage SCCs. Contact a cluster administrator to request access.
 {{< /call-out >}}
