apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: vault-restricted-scc-role
rules:
- apiGroups:
  - security.openshift.io
  resources:
  - securitycontextconstraints
  resourceNames:
  - vault-restricted
  verbs:
  - use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: vault-restricted-scc-binding
  namespace: {{ .Release.Namespace }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: vault-restricted-scc-role
subjects:
- kind: ServiceAccount
  name: vault
  namespace: {{ .Release.Namespace }}