mangelajo/scc-plugin.yaml

## scc-plugin.yaml
kind: SecurityContextConstraints
apiVersion: security.openshift.io/v1
metadata:
  annotations:
    kubernetes.io/description: Restrict plugins UID range.
  name: restricted-plugins
fsGroup:
  type: MustRunAs
groups:
- system:authenticated
users:
- system:serviceaccount:app-plugin1:default
priority: 10
readOnlyRootFilesystem: false
requiredDropCapabilities:
- KILL
- MKNOD
- SETUID
- SETGID
runAsUser:
  type: MustRunAs
  UID: 2000
seLinuxContext:
  type: MustRunAs
supplementalGroups:
  type: RunAsAny
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: false
allowedCapabilities: null
defaultAddCapabilities: null
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret
	kind: SecurityContextConstraints
	apiVersion: security.openshift.io/v1
	metadata:
	annotations:
	kubernetes.io/description: Restrict plugins UID range.
	name: restricted-plugins
	fsGroup:
	type: MustRunAs
	groups:
	- system:authenticated
	users:
	- system:serviceaccount:app-plugin1:default
	priority: 10
	readOnlyRootFilesystem: false
	requiredDropCapabilities:
	- KILL
	- MKNOD
	- SETUID
	- SETGID
	runAsUser:
	type: MustRunAs
	UID: 2000
	seLinuxContext:
	type: MustRunAs
	supplementalGroups:
	type: RunAsAny
	allowHostDirVolumePlugin: false
	allowHostIPC: false
	allowHostNetwork: false
	allowHostPID: false
	allowHostPorts: false
	allowPrivilegeEscalation: true
	allowPrivilegedContainer: false
	allowedCapabilities: null
	defaultAddCapabilities: null
	volumes:
	- configMap
	- downwardAPI
	- emptyDir
	- persistentVolumeClaim
	- projected
	- secret