From e228753c59a62b887aecd56398a8595e6a99a1a3 Mon Sep 17 00:00:00 2001
From: Conan Scott <conanscott@gmail.com>
Date: Tue, 13 Jan 2026 10:03:28 +1100
Subject: [PATCH] added back scc-restricted-hostpath

---
 .../scc/scc-restricted-hostpath-privesc.yaml  |  4 +-
 manifests/scc/scc-restricted-hostpath.yaml    | 40 +++++++++++++++++++
 2 files changed, 42 insertions(+), 2 deletions(-)
 create mode 100644 manifests/scc/scc-restricted-hostpath.yaml

diff --git a/manifests/scc/scc-restricted-hostpath-privesc.yaml b/manifests/scc/scc-restricted-hostpath-privesc.yaml
index 9e44708..991bd0b 100644
--- a/manifests/scc/scc-restricted-hostpath-privesc.yaml
+++ b/manifests/scc/scc-restricted-hostpath-privesc.yaml
@@ -2,12 +2,12 @@ apiVersion: security.openshift.io/v1
 kind: SecurityContextConstraints
 metadata:
   name: restricted-hostpath-privesc
-allowHostDirVolumePlugin: true # Needed for /dev/dri hostPath
+allowHostDirVolumePlugin: true
 allowHostIPC: false
 allowHostNetwork: false
 allowHostPID: false
 allowHostPorts: false
-allowPrivilegeEscalation: true
+allowPrivilegeEscalation: false
 allowPrivilegedContainer: false
 allowedCapabilities:
   - CHOWN
diff --git a/manifests/scc/scc-restricted-hostpath.yaml b/manifests/scc/scc-restricted-hostpath.yaml
new file mode 100644
index 0000000..9e44708
--- /dev/null
+++ b/manifests/scc/scc-restricted-hostpath.yaml
@@ -0,0 +1,40 @@
+apiVersion: security.openshift.io/v1
+kind: SecurityContextConstraints
+metadata:
+  name: restricted-hostpath-privesc
+allowHostDirVolumePlugin: true # Needed for /dev/dri hostPath
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegeEscalation: true
+allowPrivilegedContainer: false
+allowedCapabilities:
+  - CHOWN
+defaultAddCapabilities: null
+fsGroup:
+  type: MustRunAs
+  ranges:
+    - min: 1000
+      max: 2000
+readOnlyRootFilesystem: false
+requiredDropCapabilities:
+  - ALL
+runAsUser:
+  type: MustRunAsRange
+  uidRangeMin: 1000
+  uidRangeMax: 2000
+seLinuxContext:
+  type: MustRunAs
+supplementalGroups:
+  type: RunAsAny
+volumes:
+  - configMap
+  - downwardAPI
+  - emptyDir
+  - hostPath # This is what distinguishes it from restricted-s6
+  - persistentVolumeClaim
+  - projected
+  - secret
+priority: 6 # Higher than restricted-s6 (5) due to hostPath access
+