when I apply my custom-scc on my Openshift cluster my service which has the right serviceAccount : My-service-name will retrieve it correctly.
However if a pod in another service comes to restart with default as serviceAccount it will also get my custom-scc.
i checked my scc and i added only :
users:
- system:serviceaccount:dev:my-service-name-serviceaccount
Has anyone encountered this problem?
Who is starting the other pods?
Clearly this user has permission to use the SCC, else it wouldn't. So, the question is where are those permissions coming from.
Presumably you've already checked the SCC (including a copy of it here would allow multiple eyes to double check it). The other main place to look is a clusterrole that permits "USE" to that SCC. Perhaps you have a clusterrole with "*" that's being applied to the default SA?
Final thought - if you duplicate the new SCC on a fresh cluster install, do you continue to see the issue? If so, the issue is probably in your SCC. If not, the issue is probably in another RBAC component in the running system.