---
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: false
allowPrivilegedContainer: false
allowedCapabilities:
- NET_BIND_SERVICE
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
  type: MustRunAs
groups: []
kind: SecurityContextConstraints
metadata:
  annotations:
    include.release.openshift.io/ibm-cloud-managed: "true"
    include.release.openshift.io/self-managed-high-availability: "true"
    include.release.openshift.io/single-node-developer: "true"
    kubernetes.io/description: restricted-v2 denies access to all host features and
      requires pods to be run with a UID, and SELinux context that are allocated to
      the namespace. This is the most restrictive SCC and it is used by default for
      authenticated users. On top of the legacy 'restricted' SCC, it also requires
      to drop ALL capabilities and does not allow privilege escalation binaries. It
      will also default the seccomp profile to runtime/default if unset, otherwise
      this seccomp profile is required.
  creationTimestamp: "2025-12-04T00:23:29Z"
  generation: 1
  managedFields:
  - apiVersion: security.openshift.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:allowHostDirVolumePlugin: {}
      f:allowHostIPC: {}
      f:allowHostNetwork: {}
      f:allowHostPID: {}
      f:allowHostPorts: {}
      f:allowPrivilegeEscalation: {}
      f:allowPrivilegedContainer: {}
      f:allowedCapabilities: {}
      f:defaultAddCapabilities: {}
      f:fsGroup:
        .: {}
        f:type: {}
      f:groups: {}
      f:metadata:
        f:annotations:
          .: {}
          f:include.release.openshift.io/ibm-cloud-managed: {}
          f:include.release.openshift.io/self-managed-high-availability: {}
          f:include.release.openshift.io/single-node-developer: {}
          f:kubernetes.io/description: {}
      f:priority: {}
      f:readOnlyRootFilesystem: {}
      f:requiredDropCapabilities: {}
      f:runAsUser:
        .: {}
        f:type: {}
      f:seLinuxContext:
        .: {}
        f:type: {}
      f:seccompProfiles: {}
      f:supplementalGroups:
        .: {}
        f:type: {}
      f:users: {}
      f:volumes: {}
    manager: cluster-bootstrap
    operation: Update
    time: "2025-12-04T00:23:29Z"
  - apiVersion: security.openshift.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:metadata:
        f:ownerReferences:
          .: {}
          k:{"uid":"be22703a-cdd6-4d16-8e1e-b4c0e7553556"}: {}
    manager: cluster-version-operator
    operation: Update
    time: "2025-12-04T00:24:48Z"
  name: restricted-v2
  ownerReferences:
  - apiVersion: config.openshift.io/v1
    controller: true
    kind: ClusterVersion
    name: version
    uid: be22703a-cdd6-4d16-8e1e-b4c0e7553556
  resourceVersion: "1981"
  uid: b129b8b5-b45c-42fc-b989-a0848ab4172b
priority: null
readOnlyRootFilesystem: false
requiredDropCapabilities:
- ALL
runAsUser:
  type: MustRunAsRange
seLinuxContext:
  type: MustRunAs
seccompProfiles:
- runtime/default
supplementalGroups:
  type: RunAsAny
users: []
volumes:
- configMap
- csi
- downwardAPI
- emptyDir
- ephemeral
- persistentVolumeClaim
- projected
- secret