Merge pull request #70124 from cdjohnson/RHIBMCS-145

RHIBMCS-145: Add SCC/PSA Coexistence Concept

Author: bergerhoffer

authentication/understanding-and-managing-pod-security-admission.adoc

@@ -11,6 +11,9 @@ Pod security admission is an implementation of the link:https://kubernetes.io/do
 // About pod security admission
 include::modules/security-context-constraints-psa-about.adoc[leveloffset=+1]
 
+// Understanding pod security admission coexistence
+include::modules/security-context-constraints-psa-coexistence.adoc[leveloffset=+2]
+
 // About pod security admission synchronization
 include::modules/security-context-constraints-psa-synchronization.adoc[leveloffset=+1]
 

modules/security-context-constraints-psa-coexistence.adoc

@@ -0,0 +1,15 @@
+// Module included in the following assemblies:
+//
+// * authentication/understanding-and-managing-pod-security-admission.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="security-context-constraints-psa-coexistence_{context}"]
+= Pod security admission and security context constraints
+
+Pod security admission standards and security context constraints are reconciled and enforced by two independent controllers. The two controllers work independently using the following processes to enforce security policies:
+
+. The security context constraint controller may mutate some security context fields per the pod's assigned SCC. For example, if the seccomp profile is empty or not set and if the pod's assigned SCC enforces `seccompProfiles` field to be `runtime/default`, the controller sets the default type to `RuntimeDefault`.
+
+. The security context constraint controller validates the pod's security context against the matching SCC.
+
+. The pod security admission controller validates the pod's security context against the pod security standard assigned to the namespace.