From 65c1f128c04fbb6814bceece0a1bc6c1d178579c Mon Sep 17 00:00:00 2001
From: Conan Scott <conanscott@gmail.com>
Date: Wed, 14 Jan 2026 04:24:17 +0000
Subject: [PATCH] Add RBAC for Vault restricted SCC

---
 templates/scc-rbac.yaml | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 templates/scc-rbac.yaml

diff --git a/templates/scc-rbac.yaml b/templates/scc-rbac.yaml
new file mode 100644
index 0000000..ca049bd
--- /dev/null
+++ b/templates/scc-rbac.yaml
@@ -0,0 +1,27 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: vault-restricted-scc-role
+rules:
+- apiGroups:
+  - security.openshift.io
+  resources:
+  - securitycontextconstraints
+  resourceNames:
+  - vault-restricted
+  verbs:
+  - use
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: vault-restricted-scc-binding
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: vault-restricted-scc-role
+subjects:
+- kind: ServiceAccount
+  name: vault
+  namespace: {{ .Release.Namespace }}