Let's say you update a container in a deployment to mount a local directory.

~]$ oc set volume deployment my-deployment --add --type hostPath --path /usr/local/my-files
info: Generated volume name: volume-879rj
deployment.apps/my-deployment volume updated

And the following is being returned.

forbidden: 
unable to validate against any security context constraint: [spec.volumes[1]: Invalid value: "hostPath": hostPath volumes are not allowed to be used

This can occur when the deployment is associated with a User, Group or Service Account and a Security Context Constraint that does not allow local directories to be mounted. In this example, the deployment is associated with Service Account my-service-account and my-service-account is using the anyuid Security Context Contraint.

~]# oc get deployment my-deployment --output yaml | oc adm policy scc-review --filename - 
RESOURCE                    SERVICE ACCOUNT       ALLOWED BY         
Deployment/my-deployment    my-service-account    anyuid

The anyuid Security Context Contraint does not allow local directories to be mounted in a deployment.

• anyuid - Same as the "restricted" Security Context Constraint but allows a pod to be run by any UID or GID.
• hostaccess - Allows access to all host namespaces but still requires pods to be run with a UID and SELinux context that are allocated to the namespace.
• hostmount-anyuid - Same as the "restricted" Security Context Constraint but allows host mounts and running as any UID and any GID on the system.
• hostnetwork - Allows using host networking and host ports but still requires pods to be run with a UID and SELinux context that are allocated to the namespace.
• nonroot - Same as the "restricted" Security Context Constraint but allows users to run with any non-root UID. The user must specify the UID or it must be specified in the manifest of the container runtime.
• privileged - Allows:
  • Users to run privileged pods
  • Pods to mount host directories as volumes
  • Pods to run as any user
  • Pods to run with any MCS label
  • Pods to use the host’s IPC namespace
  • Pods to use the host’s PID namespace
  • Pods to use any FSGroup
  • Pods to use any supplemental group
  • Pods to use any seccomp profiles
  • Pods to request any capabilities
• restricted - Denies access to all host features and requires pods to be run with a UID, and SELinux context that are allocated to the namespace. This is the most restrictive SCC provided by a new installation and will be used by default for authenticated users.
  • Pods cannot run as privileged
  • Pods cannot mount host directory volumes
  • Requires that a pod is run as a user in a pre-allocated range of UIDs
  • Requires that a pod is run with a pre-allocated MCS label
  • Allows pods to use any FSGroup
  • Allows pods to use any supplemental group