From df11650b9e369bf2b85340b64bc7933ecadf571b Mon Sep 17 00:00:00 2001
From: kmova <kiran.mova@mayadata.io>
Date: Wed, 29 Jul 2020 20:02:16 +0000
Subject: [PATCH] update RBAC access setup for OpenShift

From OpenShift 4.4 on the built-in SCCs will be managed and thus
you cannot any longer mutate them by adding user. The proper way
is either to copy an existing SCC or use RBAC to access them.

This updates the documentation for the RBAC approach.

Signed-off-by: kmova <kiran.mova@mayadata.io>
(cherry picked from commit 92508da2ff6f629c0467239762b7c8ccce099dc3)
---
 README.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 2fdfc04b..308da047 100644
--- a/README.md
+++ b/README.md
@@ -48,13 +48,15 @@ $ kubectl create -f deploy/rbac.yaml
 OpenShift:
 
 On some installations of OpenShift the default admin user does not have cluster-admin permissions. If these commands fail refer to the OpenShift documentation for **User and Role Management** or contact your OpenShift provider to help you grant the right permissions to your admin user. 
+On OpenShift the service account used to bind volumes does not have the necessary permissions required to use the `hostmount-anyuid` SCC. See also [Role based access to SCC](https://docs.openshift.com/container-platform/4.4/authentication/managing-security-context-constraints.html#role-based-access-to-ssc_configuring-internal-oauth) for more information. If these commands fail refer to the OpenShift documentation for **User and Role Management** or contact your OpenShift provider to help you grant the right permissions to your admin user.
 
 ```sh
 # Set the subject of the RBAC objects to the current namespace where the provisioner is being deployed
 $ NAMESPACE=`oc project -q`
 $ sed -i'' "s/namespace:.*/namespace: $NAMESPACE/g" ./deploy/rbac.yaml
 $ oc create -f deploy/rbac.yaml
-$ oadm policy add-scc-to-user hostmount-anyuid system:serviceaccount:$NAMESPACE:nfs-client-provisioner
+$ oc create role use-scc-hostmount-anyuid --verb=use --resource=scc --resource-name=hostmount-anyuid -n $NAMESPACE
+$ oc adm policy add-role-to-user use-scc-hostmount-anyuid system:serviceaccount:$NAMESPACE:nfs-client-provisioner
 ```
 
 **Step 4: Configure the NFS-Client provisioner**