{{- if .Values.platform.openshift }}
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
  labels:
    {{- include "gpu-operator.labels" . | nindent 4 }}
    app.kubernetes.io/component: "gpu-operator"
  annotations:
    kubernetes.io/description: restricted denies access to all host features and requires
      pods to be run with a UID, read-only root filesystem and SELinux context that are 
      allocated to the namespace.  This SCC is more restrictive than the default
      restrictive SCC and it is used by default for authenticated users and operators and operands.
  name: restricted-readonly
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: false
allowedCapabilities: []
defaultAddCapabilities: []
fsGroup:
  type: MustRunAs
groups:
- system:authenticated
priority: 0
readOnlyRootFilesystem: true
requiredDropCapabilities:
- KILL
- MKNOD
- SETUID
- SETGID
runAsUser:
  type: MustRunAsRange
seLinuxContext:
  type: MustRunAs
supplementalGroups:
  type: RunAsAny
users: 
- system:serviceaccount:{{ $.Release.Namespace }}:gpu-operator
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret
{{- end }}