From d179de074037572715fd74fbdbddb41c27cd2977 Mon Sep 17 00:00:00 2001
From: Pablo Acevedo Montserrat <pacevedo@redhat.com>
Date: Wed, 25 May 2022 10:12:22 +0200
Subject: [PATCH] Restrict OpenShift SecurityContextConstraints

---
 .../core-dump-handler/templates/openshift-scc.yaml   | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/charts/core-dump-handler/templates/openshift-scc.yaml b/charts/core-dump-handler/templates/openshift-scc.yaml
index 73c6ce1..9eaa155 100644
--- a/charts/core-dump-handler/templates/openshift-scc.yaml
+++ b/charts/core-dump-handler/templates/openshift-scc.yaml
@@ -7,10 +7,10 @@ metadata:
     "helm.sh/hook": pre-install
   name: {{ .Values.scc.name }}
 allowHostDirVolumePlugin: true
-allowHostIPC: true
-allowHostNetwork: true
-allowHostPID: true
-allowHostPorts: true
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
 allowPrivilegeEscalation: true
 allowPrivilegedContainer: true
 allowedCapabilities:
@@ -28,11 +28,7 @@ seLinuxContext:
 supplementalGroups:
   type: RunAsAny
 volumes:
-- configMap
-- downwardAPI
-- emptyDir
 - persistentVolumeClaim
-- projected
 - secret
 priority: 10
 users: