From 0decc8a53f9d9e70e1cfafe0753668e2da84a1b3 Mon Sep 17 00:00:00 2001
From: Jack Henschel <jackdev@mailbox.org>
Date: Sat, 18 Mar 2023 18:30:19 +0100
Subject: [PATCH] docs: Clarify how to run Job on OpenShift (#1401)

Signed-off-by: Jack Henschel <jackdev@mailbox.org>
---
 docs/running.md | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/docs/running.md b/docs/running.md
index 11b37d6..67c5e5b 100644
--- a/docs/running.md
+++ b/docs/running.md
@@ -34,7 +34,7 @@ docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t -v path/to/my-config.ya
 
 You can run kube-bench inside a pod, but it will need access to the host's PID namespace in order to check the running processes, as well as access to some directories on the host where config files and other files are stored.
 
-The supplied `job.yaml` file can be applied to run the tests as a job. For example:
+The `job.yaml` file (available in the root directory of the repository) can be applied to run the tests as a Kubernetes `Job`. For example:
 
 ```bash
 $ kubectl apply -f job.yaml
@@ -140,6 +140,14 @@ kube-bench includes a set of test files for Red Hat's OpenShift hardening guide
 
 `kube-bench` supports auto-detection, when you run the `kube-bench` command it will autodetect if running in openshift environment.
 
+Since running `kube-bench` requires elevated privileges, the `privileged` SecurityContextConstraint needs to be applied to the ServiceAccount used for the `Job`:
+
+```
+oc create namespace kube-bench
+oc adm policy add-scc-to-user privileged --serviceaccount default
+oc apply -f job.yaml
+```
+
 ### Running in a GKE cluster
 
 | CIS Benchmark | Targets                                                     |