{{- if eq (include "mimir.rbac.useSecurityContextConstraints" .) "true" }}
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
  name: {{ include "mimir.resourceName" (dict "ctx" .) }}
  labels:
    {{- include "mimir.labels" (dict "ctx" .) | nindent 4 }}
  namespace: {{ .Release.Namespace | quote }}
allowHostDirVolumePlugin: true
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: false
allowedCapabilities: null
defaultAddCapabilities: null
fsGroup:
  type: RunAsAny
groups: []
priority: 10
readOnlyRootFilesystem: false
requiredDropCapabilities:
  - MKNOD
runAsUser:
  type: RunAsAny
seLinuxContext:
  type: MustRunAs
supplementalGroups:
  type: RunAsAny
users:
  - system:serviceaccount:openshift-infra:pv-recycler-controller
volumes:
  - configMap
  - downwardAPI
  - emptyDir
  - hostPath
  - nfs
  - persistentVolumeClaim
  - projected
  - secret
{{- end }}