Use user namespaces for all deployments

tchap · tchap · commit e822a350ff04 · 2025-10-06T16:39:25.000+02:00
This goes for both the operator and the operands.

All deployments now contain hostUsers: false.
The SC user and group IDs are set to 1000.
diff --git a/bindata/assets/openshift-controller-manager/deploy.yaml b/bindata/assets/openshift-controller-manager/deploy.yaml
@@ -33,13 +33,16 @@ spec:
       name: openshift-controller-manager
       annotations:
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
-        openshift.io/required-scc: restricted-v2
+        openshift.io/required-scc: restricted-v3
       labels:
         app: openshift-controller-manager-a
         controller-manager: "true"
     spec:
+      hostUsers: false
       securityContext:
-        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
         seccompProfile:
           type: RuntimeDefault
       priorityClassName: system-node-critical
diff --git a/bindata/assets/openshift-controller-manager/route-controller-manager-deploy.yaml b/bindata/assets/openshift-controller-manager/route-controller-manager-deploy.yaml
@@ -23,13 +23,16 @@ spec:
       name: route-controller-manager
       annotations:
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
-        openshift.io/required-scc: restricted-v2
+        openshift.io/required-scc: restricted-v3
       labels:
         app: route-controller-manager
         route-controller-manager: "true"
     spec:
+      hostUsers: false
       securityContext:
-        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
         seccompProfile:
           type: RuntimeDefault
       priorityClassName: system-node-critical
diff --git a/manifests/09_deployment.yaml b/manifests/09_deployment.yaml
@@ -19,13 +19,15 @@ spec:
       name: openshift-controller-manager-operator
       annotations:
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
-        openshift.io/required-scc: nonroot-v2
+        openshift.io/required-scc: restricted-v3
       labels:
         app: openshift-controller-manager-operator
     spec:
+      hostUsers: false
       securityContext:
-        runAsNonRoot: true
-        runAsUser: 65534
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
         seccompProfile:
           type: RuntimeDefault
       serviceAccountName: openshift-controller-manager-operator
