From e6e1970ca1dc48102a8409c82ff341864d4a4976 Mon Sep 17 00:00:00 2001
From: Conan Scott <conanscott@gmail.com>
Date: Wed, 14 Jan 2026 04:24:08 +0000
Subject: [PATCH] Add restricted SCC for Vault

---
 templates/scc.yaml | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 templates/scc.yaml

diff --git a/templates/scc.yaml b/templates/scc.yaml
new file mode 100644
index 0000000..9855704
--- /dev/null
+++ b/templates/scc.yaml
@@ -0,0 +1,24 @@
+kind: SecurityContextConstraints
+apiVersion: security.openshift.io/v1
+metadata:
+  name: vault-restricted
+allowPrivilegedContainer: false
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+runAsUser:
+  type: MustRunAs
+  uid: 100
+seLinuxContext:
+  type: MustRunAs
+fsGroup:
+  type: MustRunAs
+supplementalGroups:
+  type: RunAsAny
+defaultAddCapabilities: []
+requiredDropCapabilities:
+- ALL
+users: []
+groups: []