scc: add restricted-v3

haircommander · haircommander · commit f460dc8ca381 · 2025-05-29T12:35:44.000-04:00
Signed-off-by: Peter Hunt &lt;pehunt@redhat.com&gt;
diff --git a/bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_cr-scc-restricted-v3.yaml b/bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_cr-scc-restricted-v3.yaml
@@ -0,0 +1,18 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+    rbac.authorization.kubernetes.io/autoupdate: "true"
+  name: system:openshift:scc:restricted-v3
+rules:
+- apiGroups:
+  - security.openshift.io
+  resourceNames:
+  - restricted-v3
+  resources:
+  - securitycontextconstraints
+  verbs:
+  - use
diff --git a/bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_scc-restricted-v3.yaml b/bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_scc-restricted-v3.yaml
@@ -0,0 +1,62 @@
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegeEscalation: false
+allowPrivilegedContainer: false
+allowedCapabilities:
+- NET_BIND_SERVICE
+apiVersion: security.openshift.io/v1
+defaultAddCapabilities:
+fsGroup:
+  type: MustRunAs
+  ranges:
+  - min: 1000
+    max: 65534
+groups: []
+kind: SecurityContextConstraints
+metadata:
+  annotations:
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+    kubernetes.io/description: restricted-v3 denies access to all host features and requires
+      pods to be run with user namespace (and may not be root within that user namespace),
+      and SELinux context that are allocated to the namespace. This is the most restrictive SCC.
+      On top of the legacy 'restricted' SCC, it also requires to drop ALL capabilities
+      and does not allow privilege escalation binaries. It will also default the seccomp
+      profile to runtime/default if unset, otherwise this seccomp profile is required.
+      On top of the legacy 'restricted-v2' SCC, it requires a pod runs in a user namespace.
+      Because of this, the pod to be any non-root UID within the user namespace (between 1000-65534), and
+      it will still be unprivileged outside of the user namespace.
+  name: restricted-v3
+priority:
+readOnlyRootFilesystem: false
+requiredDropCapabilities:
+- ALL
+runAsUser:
+  type: MustRunAsRange
+  ranges:
+  - min: 1000
+    max: 65534
+seLinuxContext:
+  type: MustRunAs
+seccompProfiles:
+- runtime/default
+supplementalGroups:
+  type: MustRunAs
+  ranges:
+  - min: 1000
+    max: 65534
+users: []
+userNamespaceLevel: RequirePodLevel
+volumes:
+- configMap
+- csi
+- downwardAPI
+- emptyDir
+- ephemeral
+- persistentVolumeClaim
+- projected
+- secret
