From bdd0fa5262a4039c6bcd46986bbad16bbf70a2bf Mon Sep 17 00:00:00 2001
From: Yossi Mesika <mesika@il.ibm.com>
Date: Thu, 7 Jun 2018 02:12:04 +0300
Subject: [PATCH] Updated OpenShift section to match the new list of service
 accounts (#1453)

---
 content/docs/setup/kubernetes/quick-start.md | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/content/docs/setup/kubernetes/quick-start.md b/content/docs/setup/kubernetes/quick-start.md
index b4bda0d9cb..d96a7dde29 100644
--- a/content/docs/setup/kubernetes/quick-start.md
+++ b/content/docs/setup/kubernetes/quick-start.md
@@ -102,15 +102,24 @@ Configure `kubectl` CLI based on steps [here](https://www.ibm.com/support/knowle
 ### OpenShift Origin
 
 OpenShift by default does not allow containers running with UID 0. Enable containers running
-with UID 0 for Istio's service accounts for ingress as well the Prometheus and Grafana addons:
+with UID 0 for Istio's service accounts:
 
 ```command
 $ oc adm policy add-scc-to-user anyuid -z istio-ingress-service-account -n istio-system
 $ oc adm policy add-scc-to-user anyuid -z default -n istio-system
-$ oc adm policy add-scc-to-user anyuid -z grafana -n istio-system
 $ oc adm policy add-scc-to-user anyuid -z prometheus -n istio-system
+$ oc adm policy add-scc-to-user anyuid -z istio-egressgateway-service-account -n istio-system
+$ oc adm policy add-scc-to-user anyuid -z istio-citadel-service-account -n istio-system
+$ oc adm policy add-scc-to-user anyuid -z istio-ingressgateway-service-account -n istio-system
+$ oc adm policy add-scc-to-user anyuid -z istio-cleanup-old-ca-service-account -n istio-system
+$ oc adm policy add-scc-to-user anyuid -z istio-mixer-post-install-account -n istio-system
+$ oc adm policy add-scc-to-user anyuid -z istio-mixer-service-account -n istio-system
+$ oc adm policy add-scc-to-user anyuid -z istio-pilot-service-account -n istio-system
+$ oc adm policy add-scc-to-user anyuid -z istio-sidecar-injector-service-account -n istio-system
 ```
 
+The list above covers the default Istio service accounts. If you enabled other Istio services (e.g. _Grafana_) you will need to cover its service account in a similar command.
+
 Service account that runs application pods need privileged security context constraints as part of sidecar injection.
 
 ```command