{{- if .Values.scc.create }}
kind: SecurityContextConstraints
apiVersion: security.openshift.io/v1
metadata:
  labels:
{{ include "helm.labels" . | indent 4 }}
  name: {{ .Release.Name }}-prometheus-server
allowPrivilegedContainer: false
allowHostNetwork: false
allowHostDirVolumePlugin: true
allowHostPorts: true
allowHostPID: false
allowHostIPC: false
readOnlyRootFilesystem: false
requiredDropCapabilities:
- CHOWN
- KILL
- MKNOD
- SETUID
- SETGID
defaultAddCapabilities: []
allowedCapabilities: []
priority: 0
runAsUser:
  type: MustRunAsNonRoot
seLinuxContext:
  type: RunAsAny
fsGroup:
  type: RunAsAny
supplementalGroups:
  type: RunAsAny
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret
users:
  - system:serviceaccount:{{.Release.Namespace}}:prometheus-server
{{- end }}