Use user namespaces for all deployments

tchap · tchap · commit b252943d59f9 · 2025-09-18T08:04:37.000+02:00
This goes for both the operator and the operand.
diff --git a/bindata/assets/openshift-controller-manager/deploy.yaml b/bindata/assets/openshift-controller-manager/deploy.yaml
@@ -33,13 +33,17 @@ spec:
       name: openshift-controller-manager
       annotations:
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
-        openshift.io/required-scc: restricted-v2
+        openshift.io/required-scc: nonroot-v2
       labels:
         app: openshift-controller-manager-a
         controller-manager: "true"
     spec:
+      hostUsers: false
       securityContext:
         runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
         seccompProfile:
           type: RuntimeDefault
       priorityClassName: system-node-critical
diff --git a/bindata/assets/openshift-controller-manager/informer-clusterrole.yaml b/bindata/assets/openshift-controller-manager/informer-clusterrole.yaml
@@ -21,3 +21,12 @@ rules:
   - create
   - patch
   - update
+  # Allow for nonroot-v2 SCC
+- apiGroups:
+  - security.openshift.io
+  resources:
+  - securitycontextconstraints
+  resourceNames:
+  - nonroot-v2
+  verbs:
+  - use
diff --git a/bindata/assets/openshift-controller-manager/route-controller-manager-clusterrole.yaml b/bindata/assets/openshift-controller-manager/route-controller-manager-clusterrole.yaml
@@ -49,3 +49,12 @@ rules:
   - get
   - list
   - watch
+# Allow for nonroot-v2 SCC
+- apiGroups:
+  - security.openshift.io
+  resources:
+  - securitycontextconstraints
+  resourceNames:
+  - nonroot-v2
+  verbs:
+  - use
diff --git a/bindata/assets/openshift-controller-manager/route-controller-manager-deploy.yaml b/bindata/assets/openshift-controller-manager/route-controller-manager-deploy.yaml
@@ -23,13 +23,17 @@ spec:
       name: route-controller-manager
       annotations:
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
-        openshift.io/required-scc: restricted-v2
+        openshift.io/required-scc: nonroot-v2
       labels:
         app: route-controller-manager
         route-controller-manager: "true"
     spec:
+      hostUsers: false
       securityContext:
         runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
         seccompProfile:
           type: RuntimeDefault
       priorityClassName: system-node-critical
diff --git a/manifests/09_deployment.yaml b/manifests/09_deployment.yaml
@@ -23,6 +23,7 @@ spec:
       labels:
         app: openshift-controller-manager-operator
     spec:
+      hostUsers: false
       securityContext:
         runAsNonRoot: true
         runAsUser: 65534
