Merge pull request #53264 from xenolinux/bug1894063

kelbrown20 · web-flow · commit 8a1b4b6a60f1 · 2023-01-23T12:08:15.000-05:00
BZ1894063: Added important block on using pods deployment in SSC
diff --git a/modules/security-context-constraints-about.adoc b/modules/security-context-constraints-about.adoc
@@ -380,6 +380,11 @@ user identity and groups that the user belongs to. Additionally, if the pod
 specifies a service account, the set of allowable SCCs includes any constraints
 accessible to the service account.
 
+[IMPORTANT]
+====
+When creating pods directly, SCCs admission considers SCC permissions of both the caller and the Service Account that runs the pod. When a pod is created by a pod controller such as a deployment or a job, only Service Account SCC permissions are considered.
+====
+
 Admission uses the following approach to create the final security context for
 the pod:
 
