---
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
  name: policy-securitycontextconstraints-restricted
  namespace: rhacm-policies
  annotations:
    policy.open-cluster-management.io/standards: NIST SP 800-53
    policy.open-cluster-management.io/categories: SC System and Communications Protection
    policy.open-cluster-management.io/controls: SC-4 Information in Shared Resources
spec:
  remediationAction: enforce
  disabled: false
  policy-templates:
    - objectDefinition:
        apiVersion: policy.open-cluster-management.io/v1
        kind: ConfigurationPolicy
        metadata:
          name: policy-securitycontextconstraints-restricted
        spec:
          remediationAction: enforce # the policy-template spec.remediationAction is overridden by the preceding parameter value for spec.remediationAction.
          severity: high
          namespaceSelector:
            include: ["*"]
          object-templates:
            - complianceType: musthave
              objectDefinition:
                allowHostDirVolumePlugin: false
                allowHostIPC: false
                allowHostNetwork: false
                allowHostPID: false
                allowHostPorts: false
                allowPrivilegeEscalation: true
                allowPrivilegedContainer: false
                allowedCapabilities: null
                apiVersion: security.openshift.io/v1
                defaultAddCapabilities: null
                fsGroup:
                  type: MustRunAs
                groups:
                - system:authenticated
                kind: SecurityContextConstraints
                metadata:
                  annotations:
                    kubernetes.io/description: restricted denies access to all host features and requires
                      pods to be run with a UID, and SELinux context that are allocated to the namespace.  This
                      is the most restrictive SCC and it is used by default for authenticated users.
                    release.openshift.io/create-only: "true"
                  name: restricted
                priority: null
                readOnlyRootFilesystem: false
                requiredDropCapabilities:
                - KILL
                - MKNOD
                - SETUID
                - SETGID
                runAsUser:
                  type: MustRunAsRange
                seLinuxContext:
                  type: MustRunAs
                supplementalGroups:
                  type: RunAsAny
                users: []
                volumes:
                - configMap
                - downwardAPI
                - emptyDir
                - persistentVolumeClaim
                - projected
                - secret
---
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
  name: securitycontextconstraints-restricted-binding
  namespace: rhacm-policies
placementRef:
  name: dev-clusters
  kind: PlacementRule
  apiGroup: apps.open-cluster-management.io
subjects:
- name: policy-securitycontextconstraints-restricted
  kind: Policy
  apiGroup: policy.open-cluster-management.io