OCPBUGS-162: Updating restricted description and noting difference in upgrade vs install behavior

Author: bergerhoffer

modules/security-context-constraints-about.adoc

@@ -132,7 +132,7 @@ Setting `privileged: true` in the pod specification does not necessarily select
 endif::[]
 
 |`restricted`
-|Denies access to all host features and requires pods to be run with a UID, and SELinux context that are allocated to the namespace. This is the most restrictive SCC provided by a new installation and will be used by default for authenticated users.
+|Denies access to all host features and requires pods to be run with a UID, and SELinux context that are allocated to the namespace.
 
 The `restricted` SCC:
 
@@ -143,10 +143,7 @@ The `restricted` SCC:
 * Allows pods to use any FSGroup
 * Allows pods to use any supplemental group
 
-[NOTE]
-====
-The restricted SCC is the most restrictive of the SCCs that ship by default with the system. However, you can create a custom SCC that is even more restrictive. For example, you can create an SCC that restricts `readOnlyRootFS` to `true` and `allowPrivilegeEscalation` to `false`.
-====
+In clusters that were upgraded from {product-title} 4.10 or earlier, this SCC is available for use by any authenticated user. The `restricted` SCC is no longer available to users of new {product-title} 4.11 installations, unless the access is explicitly granted.
 
 |`restricted-v2`
 | Like the `restricted` SCC, but with the following differences:
@@ -156,6 +153,13 @@ The restricted SCC is the most restrictive of the SCCs that ship by default with
 * `seccompProfile` is set to `runtime/default` by default.
 * `allowPrivilegeEscalation` must be unset or set to `false` in security contexts.
 
+This is the most restrictive SCC provided by a new installation and will be used by default for authenticated users.
+
+[NOTE]
+====
+The `restricted-v2` SCC is the most restrictive of the SCCs that is included by default with the system. However, you can create a custom SCC that is even more restrictive. For example, you can create an SCC that restricts `readOnlyRootFilesystem` to `true`.
+====
+
 |===
 
 [id="scc-settings_{context}"]
@@ -202,7 +206,7 @@ The containers use the capabilities from this default list, but pod manifest aut
 
 [NOTE]
 ====
-You can drop all capabilites from containers by setting the `requiredDropCapabilities` parameter to `ALL`.
+You can drop all capabilites from containers by setting the `requiredDropCapabilities` parameter to `ALL`. This is what the `restricted-v2` SCC does.
 ====
 
 [id="authorization-SCC-strategies_{context}"]

modules/security-context-constraints-command-reference.adoc

@@ -28,15 +28,18 @@ $ oc get scc
 .Example output
 [source,terminal]
 ----
-NAME               PRIV    CAPS   SELINUX     RUNASUSER          FSGROUP     SUPGROUP    PRIORITY   READONLYROOTFS   VOLUMES
-anyuid             false   []     MustRunAs   RunAsAny           RunAsAny    RunAsAny    10         false            [configMap downwardAPI emptyDir persistentVolumeClaim projected secret]
-hostaccess         false   []     MustRunAs   MustRunAsRange     MustRunAs   RunAsAny    <none>     false            [configMap downwardAPI emptyDir hostPath persistentVolumeClaim projected secret]
-hostmount-anyuid   false   []     MustRunAs   RunAsAny           RunAsAny    RunAsAny    <none>     false            [configMap downwardAPI emptyDir hostPath nfs persistentVolumeClaim projected secret]
-hostnetwork        false   []     MustRunAs   MustRunAsRange     MustRunAs   MustRunAs   <none>     false            [configMap downwardAPI emptyDir persistentVolumeClaim projected secret]
-node-exporter      false   []     RunAsAny    RunAsAny           RunAsAny    RunAsAny    <none>     false            [*]
-nonroot            false   []     MustRunAs   MustRunAsNonRoot   RunAsAny    RunAsAny    <none>     false            [configMap downwardAPI emptyDir persistentVolumeClaim projected secret]
-privileged         true    [*]    RunAsAny    RunAsAny           RunAsAny    RunAsAny    <none>     false            [*]
-restricted         false   []     MustRunAs   MustRunAsRange     MustRunAs   RunAsAny    <none>     false            [configMap downwardAPI emptyDir persistentVolumeClaim projected secret]
+NAME                              PRIV    CAPS                   SELINUX     RUNASUSER          FSGROUP     SUPGROUP    PRIORITY     READONLYROOTFS   VOLUMES
+anyuid                            false   <no value>             MustRunAs   RunAsAny           RunAsAny    RunAsAny    10           false            ["configMap","downwardAPI","emptyDir","persistentVolumeClaim","projected","secret"]
+hostaccess                        false   <no value>             MustRunAs   MustRunAsRange     MustRunAs   RunAsAny    <no value>   false            ["configMap","downwardAPI","emptyDir","hostPath","persistentVolumeClaim","projected","secret"]
+hostmount-anyuid                  false   <no value>             MustRunAs   RunAsAny           RunAsAny    RunAsAny    <no value>   false            ["configMap","downwardAPI","emptyDir","hostPath","nfs","persistentVolumeClaim","projected","secret"]
+hostnetwork                       false   <no value>             MustRunAs   MustRunAsRange     MustRunAs   MustRunAs   <no value>   false            ["configMap","downwardAPI","emptyDir","persistentVolumeClaim","projected","secret"]
+hostnetwork-v2                    false   ["NET_BIND_SERVICE"]   MustRunAs   MustRunAsRange     MustRunAs   MustRunAs   <no value>   false            ["configMap","downwardAPI","emptyDir","persistentVolumeClaim","projected","secret"]
+node-exporter                     true    <no value>             RunAsAny    RunAsAny           RunAsAny    RunAsAny    <no value>   false            ["*"]
+nonroot                           false   <no value>             MustRunAs   MustRunAsNonRoot   RunAsAny    RunAsAny    <no value>   false            ["configMap","downwardAPI","emptyDir","persistentVolumeClaim","projected","secret"]
+nonroot-v2                        false   ["NET_BIND_SERVICE"]   MustRunAs   MustRunAsNonRoot   RunAsAny    RunAsAny    <no value>   false            ["configMap","downwardAPI","emptyDir","persistentVolumeClaim","projected","secret"]
+privileged                        true    ["*"]                  RunAsAny    RunAsAny           RunAsAny    RunAsAny    <no value>   false            ["*"]
+restricted                        false   <no value>             MustRunAs   MustRunAsRange     MustRunAs   RunAsAny    <no value>   false            ["configMap","downwardAPI","emptyDir","persistentVolumeClaim","projected","secret"]
+restricted-v2                     false   ["NET_BIND_SERVICE"]   MustRunAs   MustRunAsRange     MustRunAs   RunAsAny    <no value>   false            ["configMap","downwardAPI","emptyDir","persistentVolumeClaim","projected","secret"]
 ----
 
 [id="examining-a-security-context-constraints-object_{context}"]
@@ -54,36 +57,40 @@ $ oc describe scc restricted
 .Example output
 [source,terminal]
 ----
-Name:					restricted
-Priority:				<none>
+Name:                                  restricted
+Priority:                              <none>
 Access:
-  Users:				<none> <1>
-  Groups:				system:authenticated <2>
+  Users:                               <none> <1>
+  Groups:                              <none> <2>
 Settings:
-  Allow Privileged:			false
-  Default Add Capabilities:		<none>
-  Required Drop Capabilities:		KILL,MKNOD,SYS_CHROOT,SETUID,SETGID
-  Allowed Capabilities:			<none>
-  Allowed Seccomp Profiles:		<none>
-  Allowed Volume Types:			configMap,downwardAPI,emptyDir,persistentVolumeClaim,projected,secret
-  Allow Host Network:			false
-  Allow Host Ports:			false
-  Allow Host PID:			false
-  Allow Host IPC:			false
-  Read Only Root Filesystem:		false
+  Allow Privileged:                    false
+  Allow Privilege Escalation:          true
+  Default Add Capabilities:            <none>
+  Required Drop Capabilities:          KILL,MKNOD,SETUID,SETGID
+  Allowed Capabilities:                <none>
+  Allowed Seccomp Profiles:            <none>
+  Allowed Volume Types:                configMap,downwardAPI,emptyDir,persistentVolumeClaim,projected,secret
+  Allowed Flexvolumes:                 <all>
+  Allowed Unsafe Sysctls:              <none>
+  Forbidden Sysctls:                   <none>
+  Allow Host Network:                  false
+  Allow Host Ports:                    false
+  Allow Host PID:                      false
+  Allow Host IPC:                      false
+  Read Only Root Filesystem:           false
   Run As User Strategy: MustRunAsRange
-    UID:				<none>
-    UID Range Min:			<none>
-    UID Range Max:			<none>
+    UID:                               <none>
+    UID Range Min:                     <none>
+    UID Range Max:                     <none>
   SELinux Context Strategy: MustRunAs
-    User:				<none>
-    Role:				<none>
-    Type:				<none>
-    Level:				<none>
+    User:                              <none>
+    Role:                              <none>
+    Type:                              <none>
+    Level:                             <none>
   FSGroup Strategy: MustRunAs
-    Ranges:				<none>
+    Ranges:                            <none>
   Supplemental Groups Strategy: RunAsAny
-    Ranges:				<none>
+    Ranges:                            <none>
 ----
 <1> Lists which users and service accounts the SCC is applied to.
 <2> Lists which groups the SCC is applied to.
@@ -112,7 +119,6 @@ If you delete a default SCC, it will regenerate when you restart the cluster.
 ====
 
 [id="updating-security-context-constraints_{context}"]
-
 == Updating security context constraints
 
 To update an existing SCC:

modules/security-context-constraints-example.adoc

@@ -80,7 +80,7 @@ The `users` and `groups` fields on the SCC control which users can access the
 SCC.
 By default, cluster administrators, nodes, and the build controller are granted
 access to the privileged SCC. All authenticated users are granted access to the
-restricted SCC.
+`restricted-v2` SCC.
 
 .Without explicit `runAsUser` setting
 [source,yaml]
@@ -96,17 +96,16 @@ spec:
     image: gcr.io/google-samples/node-hello:1.0
 ----
 <1> When a container or pod does not request a user ID under which it should be run,
-the effective UID depends on the SCC that emits this pod. Because restricted SCC
+the effective UID depends on the SCC that emits this pod. Because the `restricted-v2` SCC
 is granted to all authenticated users by default, it will be available to all
-users and service accounts and used in most cases. The restricted SCC uses
+users and service accounts and used in most cases. The `restricted-v2` SCC uses
 `MustRunAsRange` strategy for constraining and defaulting the possible values of
 the `securityContext.runAsUser` field. The admission plug-in will look for the
 `openshift.io/sa.scc.uid-range` annotation on the current project to populate
 range fields, as it does not provide this range. In the end, a container will
 have `runAsUser` equal to the first value of the range that is
 hard to predict because every project has different ranges.
 
-
 .With explicit `runAsUser` setting
 [source,yaml]
 ----

modules/security-context-constraints-rbac.adoc

@@ -62,5 +62,5 @@ user-defined SCC called `scc-name`.
 Because RBAC is designed to prevent escalation, even project administrators
 are unable to grant access to an SCC. By default, they are not
 allowed to use the verb `use` on SCC resources, including the
-`restricted` SCC.
+`restricted-v2` SCC.
 ====