From 1815dd203d0008758e1d7ad3e806c03fe6cd2ef4 Mon Sep 17 00:00:00 2001
From: David Mueller <David.Mueller1@ibm.com>
Date: Thu, 7 Dec 2023 13:46:46 -0500
Subject: [PATCH] add OCP SCC info

#7090
---
 modules/ROOT/pages/instanton.adoc | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/modules/ROOT/pages/instanton.adoc b/modules/ROOT/pages/instanton.adoc
index f6c40069a4..9dde35068d 100644
--- a/modules/ROOT/pages/instanton.adoc
+++ b/modules/ROOT/pages/instanton.adoc
@@ -338,6 +338,36 @@ When you deploy to Kubernetes, the container must be granted the `CHECKPOINT_RES
             - ALL
 ----
 
+==== Red Hat OpenShift security context constraints
+
+To deploy applications to Red Hat OpenShift with InstantOn, you must specify a security context constraint (SCC) that at a minimum grants the capabilities to the defaults that are needed for InstantOn. The following example defines an SCC with these capabilities that is called `defaultAddCapabilities`:
+
+[source,yaml]
+----
+defaultAddCapabilities:
+- CHECKPOINT_RESTORE
+- SETPCAP
+----
+
+The applications you deploy must be associated with this SCC, for example, by specifying the `serviceAccountName` setting in the deployment yaml file. The following example specifies the `defaultAddCapabilities` SCC that was defined in the previous example:
+
+[source,yaml]
+----
+  serviceAccountName: defaultAddCapabilities
+  securityContext:
+    allowPrivilegeEscalation: true
+    privileged: false
+    runAsNonRoot: true
+    capabilities:
+      add:
+      - CHECKPOINT_RESTORE
+      - SETPCAP
+      drop:
+      - ALL
+----
+
+For more information, see the Red Hat documentation for link:https://docs.openshift.com/container-platform/latest/authentication/managing-security-context-constraints.html[Managing security context constraints].
+
 [#supported-features]
 == Open Liberty InstantOn supported features