OCPBUGS#3646: service account is used to admit the pods

xenolinux · xenolinux · commit 9ac0ba5f2a4c · 2023-03-01T14:16:12.000+05:30
diff --git a/modules/security-context-constraints-about.adoc b/modules/security-context-constraints-about.adoc
@@ -380,6 +380,11 @@ user identity and groups that the user belongs to. Additionally, if the pod
 specifies a service account, the set of allowable SCCs includes any constraints
 accessible to the service account.
 
+[NOTE]
+====
+When you create a workload resource, such as a deployment, only the service account is used to find the SCCs and is used to admit the pods when they are created.
+====
+
 [IMPORTANT]
 ====
 When creating pods directly, SCCs admission considers SCC permissions of both the caller and the Service Account that runs the pod. When a pod is created by a pod controller such as a deployment or a job, only Service Account SCC permissions are considered.
