apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
  name: restricted-hostpath
allowHostDirVolumePlugin: true # Needed for /dev/dri hostPath
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: false
allowedCapabilities:
  - CHOWN
defaultAddCapabilities: null
fsGroup:
  type: MustRunAs
  ranges:
    - min: 1000
      max: 2000
readOnlyRootFilesystem: false
requiredDropCapabilities:
  - ALL
runAsUser:
  type: MustRunAsRange
  uidRangeMin: 1000
  uidRangeMax: 2000
seLinuxContext:
  type: MustRunAs
supplementalGroups:
  type: RunAsAny
volumes:
  - configMap
  - downwardAPI
  - emptyDir
  - hostPath # This is what distinguishes it from restricted-s6
  - persistentVolumeClaim
  - projected
  - secret
priority: 6 # Higher than restricted-s6 (5) due to hostPath access