---
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: false
allowPrivilegedContainer: false
allowedCapabilities:
- NET_BIND_SERVICE
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
  type: RunAsAny
groups: []
kind: SecurityContextConstraints
metadata:
  annotations:
    include.release.openshift.io/ibm-cloud-managed: "true"
    include.release.openshift.io/self-managed-high-availability: "true"
    include.release.openshift.io/single-node-developer: "true"
    kubernetes.io/description: nonroot provides all features of the restricted SCC
      but allows users to run with any non-root UID.  The user must specify the UID
      or it must be specified on the by the manifest of the container runtime. On
      top of the legacy 'nonroot' SCC, it also requires to drop ALL capabilities and
      does not allow privilege escalation binaries. It will also default the seccomp
      profile to runtime/default if unset, otherwise this seccomp profile is required.
  creationTimestamp: "2025-10-11T10:24:20Z"
  generation: 1
  managedFields:
  - apiVersion: security.openshift.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:allowHostDirVolumePlugin: {}
      f:allowHostIPC: {}
      f:allowHostNetwork: {}
      f:allowHostPID: {}
      f:allowHostPorts: {}
      f:allowPrivilegeEscalation: {}
      f:allowPrivilegedContainer: {}
      f:allowedCapabilities: {}
      f:defaultAddCapabilities: {}
      f:fsGroup:
        .: {}
        f:type: {}
      f:groups: {}
      f:metadata:
        f:annotations:
          .: {}
          f:include.release.openshift.io/ibm-cloud-managed: {}
          f:include.release.openshift.io/self-managed-high-availability: {}
          f:include.release.openshift.io/single-node-developer: {}
          f:kubernetes.io/description: {}
      f:priority: {}
      f:readOnlyRootFilesystem: {}
      f:requiredDropCapabilities: {}
      f:runAsUser:
        .: {}
        f:type: {}
      f:seLinuxContext:
        .: {}
        f:type: {}
      f:seccompProfiles: {}
      f:supplementalGroups:
        .: {}
        f:type: {}
      f:users: {}
      f:volumes: {}
    manager: cluster-bootstrap
    operation: Update
    time: "2025-10-11T10:24:20Z"
  - apiVersion: security.openshift.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:metadata:
        f:ownerReferences:
          .: {}
          k:{"uid":"d5f199fe-acec-4610-b505-6d5fa3929e77"}: {}
    manager: cluster-version-operator
    operation: Update
    time: "2025-10-11T10:25:41Z"
  name: nonroot-v2
  ownerReferences:
  - apiVersion: config.openshift.io/v1
    controller: true
    kind: ClusterVersion
    name: version
    uid: d5f199fe-acec-4610-b505-6d5fa3929e77
  resourceVersion: "1801"
  uid: b76ffbf6-2287-4661-92da-7d5cab3504b1
priority: null
readOnlyRootFilesystem: false
requiredDropCapabilities:
- ALL
runAsUser:
  type: MustRunAsNonRoot
seLinuxContext:
  type: MustRunAs
seccompProfiles:
- runtime/default
supplementalGroups:
  type: RunAsAny
users: []
volumes:
- configMap
- csi
- downwardAPI
- emptyDir
- ephemeral
- persistentVolumeClaim
- projected
- secret