With more and more stuff being containerized, people want to inspect / run containers in a Pod, without needing a privileged Pod.
Currently this knowledge is in blog posts like https://www.redhat.com/sysadmin/podman-inside-kubernetes
However understanding the implications of the changes needed (Seccomp profile, dropping SeLinux confinement) is not trivial, and having a ready to use SCC for this purpose would help OpenShift users much.
Such a `nested` SCC should be based on the `restricted` SCC and allows the minimum permissions to run podman/buildah inside pods.
Needed permissions would include (to be verified):
- permission to use unshare system call
- permission to run as `unconfined` SeLinux container (see https://bugzilla.redhat.com/show_bug.cgi?id=2081037)