From c76c0476ca6bc02e5a2e2ebee9cef60ec05eb092 Mon Sep 17 00:00:00 2001
From: "Chris D. Johnson" <cdjohnson@us.ibm.com>
Date: Mon, 12 Feb 2024 11:43:10 -0800
Subject: [PATCH] PSA and SCC Coexistence for PSA RHIBMCS-145

---
 ...nding-and-managing-pod-security-admission.adoc |  3 +++
 ...urity-context-constraints-psa-coexistence.adoc | 15 +++++++++++++++
 2 files changed, 18 insertions(+)
 create mode 100644 modules/security-context-constraints-psa-coexistence.adoc

diff --git a/authentication/understanding-and-managing-pod-security-admission.adoc b/authentication/understanding-and-managing-pod-security-admission.adoc
index a64a065175..d62ce6968c 100644
--- a/authentication/understanding-and-managing-pod-security-admission.adoc
+++ b/authentication/understanding-and-managing-pod-security-admission.adoc
@@ -11,6 +11,9 @@ Pod security admission is an implementation of the link:https://kubernetes.io/do
 // About pod security admission
 include::modules/security-context-constraints-psa-about.adoc[leveloffset=+1]
 
+// Understanding pod security admission coexistence
+include::modules/security-context-constraints-psa-coexistence.adoc[leveloffset=+2]
+
 // About pod security admission synchronization
 include::modules/security-context-constraints-psa-synchronization.adoc[leveloffset=+1]
 
diff --git a/modules/security-context-constraints-psa-coexistence.adoc b/modules/security-context-constraints-psa-coexistence.adoc
new file mode 100644
index 0000000000..ba6caf3fbf
--- /dev/null
+++ b/modules/security-context-constraints-psa-coexistence.adoc
@@ -0,0 +1,15 @@
+// Module included in the following assemblies:
+//
+// * authentication/understanding-and-managing-pod-security-admission.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="security-context-constraints-psa-coexistence_{context}"]
+= Pod security admission and security context constraints
+
+Pod security admission standards and security context constraints are reconciled and enforced by two independent controllers. The two controllers work independently using the following processes to enforce security policies:
+
+. The security context constraint controller may mutate some security context fields per the pod's assigned SCC. For example, if the seccomp profile is empty or not set and if the pod's assigned SCC enforces `seccompProfiles` field to be `runtime/default`, the controller sets the default type to `RuntimeDefault`.
+
+. The security context constraint controller validates the pod's security context against the matching SCC.
+
+. The pod security admission controller validates the pod's security context against the pod security standard assigned to the namespace.
\ No newline at end of file