From 465811c01737916f35a20f9e17f8e758f201965a Mon Sep 17 00:00:00 2001
From: Conan Scott <conanscott@gmail.com>
Date: Mon, 12 Jan 2026 19:42:54 +1100
Subject: [PATCH] added restricted-hostpath scc added role and binding for
 peanutflix for restricted-hostpath

---
 manifests/.DS_Store                           | Bin 6148 -> 6148 bytes
 .../scc-restricted--hostpath-rolebinding.yaml |  12 ++++++
 manifests/scc/scc-restricted-hostpath.yaml    |  38 ++++++++++++++++++
 3 files changed, 50 insertions(+)
 create mode 100644 manifests/scc/scc-restricted--hostpath-rolebinding.yaml
 create mode 100644 manifests/scc/scc-restricted-hostpath.yaml

diff --git a/manifests/.DS_Store b/manifests/.DS_Store
index ea329e17be9afe654e2c38bfa1651e0f0e7be787..3e3f3f334f44aa591f61ac8a6f299f95567e807e 100644
GIT binary patch
delta 83
zcmZoMXfc?O$h<45V6z~{a^}h0EMkniCM&TNYD!gCo0}TyC>R<V)aocy8yXp!f;dLT
lwY8iaqRRT#LGjr+xq10LlXtPmGxl!2#iGr;nVsV=KLGUM7-j$f

delta 81
zcmZoMXfc?O$h;$|V6z~{a^}h0EMkm1CM&TNs!LQ?n;IGGC>U9q*Xk%#TN)YYD43gA
l*4A=zh$`z_2gPUS<mTmfP2R&I&)B{B4vRMPW>${>`~c6%7#aWo

diff --git a/manifests/scc/scc-restricted--hostpath-rolebinding.yaml b/manifests/scc/scc-restricted--hostpath-rolebinding.yaml
new file mode 100644
index 0000000..f4a415a
--- /dev/null
+++ b/manifests/scc/scc-restricted--hostpath-rolebinding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: peanutflix-sa-restricted-hostpath
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:openshift:scc:restricted-hostpath
+subjects:
+  - kind: ServiceAccount
+    name: peanutflix-sa
+    namespace: peanutflix
\ No newline at end of file
diff --git a/manifests/scc/scc-restricted-hostpath.yaml b/manifests/scc/scc-restricted-hostpath.yaml
new file mode 100644
index 0000000..21cd5b5
--- /dev/null
+++ b/manifests/scc/scc-restricted-hostpath.yaml
@@ -0,0 +1,38 @@
+apiVersion: security.openshift.io/v1
+kind: SecurityContextConstraints
+metadata:
+  name: restricted-hostpath
+allowHostDirVolumePlugin: true  # Needed for /dev/dri hostPath
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegeEscalation: false
+allowPrivilegedContainer: false
+allowedCapabilities: null
+defaultAddCapabilities: null
+fsGroup:
+  type: MustRunAs
+  ranges:
+    - min: 1000
+      max: 2000
+readOnlyRootFilesystem: false
+requiredDropCapabilities:
+  - ALL
+runAsUser:
+  type: MustRunAsRange
+  uidRangeMin: 1000
+  uidRangeMax: 2000
+seLinuxContext:
+  type: MustRunAs
+supplementalGroups:
+  type: RunAsAny
+volumes:
+  - configMap
+  - downwardAPI
+  - emptyDir
+  - hostPath  # This is what distinguishes it from restricted-s6
+  - persistentVolumeClaim
+  - projected
+  - secret
+priority: 6  # Higher than restricted-s6 (5) due to hostPath access
\ No newline at end of file