{{- if .Values.scc.create }}
kind: SecurityContextConstraints
apiVersion: security.openshift.io/v1
metadata:
  name:  {{ .Release.Name }}-scc
  labels:
{{ include "helm.labels" . | indent 4 }}
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: false
allowPrivilegedContainer: false
allowedCapabilities:
  - CHOWN
  - FOWNER
  - DAC_OVERRIDE
defaultAddCapabilities:
  - CHOWN
  - FOWNER
  - DAC_OVERRIDE
fsGroup:
  type: RunAsAny
priority: {{ .Values.scc.priority }}
readOnlyRootFilesystem: false
requiredDropCapabilities:
  - ALL
runAsUser:
  type: RunAsAny
seLinuxContext:
  type: RunAsAny
supplementalGroups:
  type: RunAsAny
seccompProfiles:
  - runtime/default
users:
  - system:serviceaccount:{{.Release.Namespace}}:{{ template "serviceAccountName" . }}
volumes:
  - configMap
  - downwardAPI
  - emptyDir
  - persistentVolumeClaim
  - projected
  - secret
{{- end }}