Use restricted-v3 SCC profile

tchap · tchap · commit 72cf759a7c63 · 2025-10-01T21:23:15.000+02:00
diff --git a/bindata/assets/openshift-controller-manager/deploy.yaml b/bindata/assets/openshift-controller-manager/deploy.yaml
@@ -33,19 +33,16 @@ spec:
       name: openshift-controller-manager
       annotations:
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
-        openshift.io/required-scc: nonroot-v2
+        openshift.io/required-scc: restricted-v3
       labels:
         app: openshift-controller-manager-a
         controller-manager: "true"
     spec:
       hostUsers: false
       securityContext:
-        runAsNonRoot: true
         runAsUser: 1000
         runAsGroup: 1000
         fsGroup: 1000
-        seccompProfile:
-          type: RuntimeDefault
       priorityClassName: system-node-critical
       serviceAccountName: openshift-controller-manager-sa
       containers:
diff --git a/bindata/assets/openshift-controller-manager/informer-clusterrole.yaml b/bindata/assets/openshift-controller-manager/informer-clusterrole.yaml
@@ -21,12 +21,3 @@ rules:
   - create
   - patch
   - update
-  # Allow for nonroot-v2 SCC
-- apiGroups:
-  - security.openshift.io
-  resources:
-  - securitycontextconstraints
-  resourceNames:
-  - nonroot-v2
-  verbs:
-  - use
diff --git a/bindata/assets/openshift-controller-manager/route-controller-manager-clusterrole.yaml b/bindata/assets/openshift-controller-manager/route-controller-manager-clusterrole.yaml
@@ -49,12 +49,3 @@ rules:
   - get
   - list
   - watch
-# Allow for nonroot-v2 SCC
-- apiGroups:
-  - security.openshift.io
-  resources:
-  - securitycontextconstraints
-  resourceNames:
-  - nonroot-v2
-  verbs:
-  - use
diff --git a/bindata/assets/openshift-controller-manager/route-controller-manager-deploy.yaml b/bindata/assets/openshift-controller-manager/route-controller-manager-deploy.yaml
@@ -23,19 +23,16 @@ spec:
       name: route-controller-manager
       annotations:
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
-        openshift.io/required-scc: nonroot-v2
+        openshift.io/required-scc: restricted-v3
       labels:
         app: route-controller-manager
         route-controller-manager: "true"
     spec:
       hostUsers: false
       securityContext:
-        runAsNonRoot: true
         runAsUser: 1000
         runAsGroup: 1000
         fsGroup: 1000
-        seccompProfile:
-          type: RuntimeDefault
       priorityClassName: system-node-critical
       serviceAccountName: route-controller-manager-sa
       containers:
diff --git a/manifests/09_deployment.yaml b/manifests/09_deployment.yaml
@@ -19,18 +19,15 @@ spec:
       name: openshift-controller-manager-operator
       annotations:
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
-        openshift.io/required-scc: nonroot-v2
+        openshift.io/required-scc: restricted-v3
       labels:
         app: openshift-controller-manager-operator
     spec:
       hostUsers: false
       securityContext:
-        runAsNonRoot: true
         runAsUser: 1000
         runAsGroup: 1000
         fsGroup: 1000
-        seccompProfile:
-          type: RuntimeDefault
       serviceAccountName: openshift-controller-manager-operator
       containers:
       - name: openshift-controller-manager-operator
