From ba0a892acc3092d49d097e0d17ab7e7bc4c5206f Mon Sep 17 00:00:00 2001 From: Ondra Kupka Date: Mon, 20 Oct 2025 16:12:14 +0200 Subject: [PATCH] helm: Enable user namespaces for deployment Also switch to hostmount-anyuid-v2 SCC instead of privileged. --- ...eployment-olmv1-system-catalogd-controller-manager.yml | 2 +- ...lmv1-system-operator-controller-controller-manager.yml | 2 +- .../templates/rbac/clusterrole-catalogd-manager-role.yml | 2 +- .../rbac/clusterrole-operator-controller-manager-role.yml | 2 +- helm/olmv1/values.yaml | 4 ++-- manifests/experimental-e2e.yaml | 8 ++++---- manifests/experimental.yaml | 8 ++++---- manifests/standard-e2e.yaml | 8 ++++---- manifests/standard.yaml | 8 ++++---- 9 files changed, 22 insertions(+), 22 deletions(-) diff --git a/helm/olmv1/templates/deployment-olmv1-system-catalogd-controller-manager.yml b/helm/olmv1/templates/deployment-olmv1-system-catalogd-controller-manager.yml index 5beb73826..907d33c8e 100644 --- a/helm/olmv1/templates/deployment-olmv1-system-catalogd-controller-manager.yml +++ b/helm/olmv1/templates/deployment-olmv1-system-catalogd-controller-manager.yml @@ -28,7 +28,7 @@ spec: {{- include "olmv1.annotations" . | nindent 8 }} {{- if .Values.options.openshift.enabled }} target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' - openshift.io/required-scc: privileged + openshift.io/required-scc: hostmount-anyuid-v2 {{- end }} labels: app.kubernetes.io/name: catalogd diff --git a/helm/olmv1/templates/deployment-olmv1-system-operator-controller-controller-manager.yml b/helm/olmv1/templates/deployment-olmv1-system-operator-controller-controller-manager.yml index a3bdea06f..cea5479e1 100644 --- a/helm/olmv1/templates/deployment-olmv1-system-operator-controller-controller-manager.yml +++ b/helm/olmv1/templates/deployment-olmv1-system-operator-controller-controller-manager.yml @@ -27,7 +27,7 @@ spec: {{- include "olmv1.annotations" . | nindent 8 }} {{- if .Values.options.openshift.enabled }} target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' - openshift.io/required-scc: privileged + openshift.io/required-scc: hostmount-anyuid-v2 {{- end }} labels: app.kubernetes.io/name: operator-controller diff --git a/helm/olmv1/templates/rbac/clusterrole-catalogd-manager-role.yml b/helm/olmv1/templates/rbac/clusterrole-catalogd-manager-role.yml index fe43d1966..126d0950b 100644 --- a/helm/olmv1/templates/rbac/clusterrole-catalogd-manager-role.yml +++ b/helm/olmv1/templates/rbac/clusterrole-catalogd-manager-role.yml @@ -41,7 +41,7 @@ rules: resources: - securitycontextconstraints resourceNames: - - privileged + - hostmount-anyuid-v2 verbs: - use {{- end }} diff --git a/helm/olmv1/templates/rbac/clusterrole-operator-controller-manager-role.yml b/helm/olmv1/templates/rbac/clusterrole-operator-controller-manager-role.yml index 84f221003..8b4c15e74 100644 --- a/helm/olmv1/templates/rbac/clusterrole-operator-controller-manager-role.yml +++ b/helm/olmv1/templates/rbac/clusterrole-operator-controller-manager-role.yml @@ -68,7 +68,7 @@ rules: resources: - securitycontextconstraints resourceNames: - - privileged + - hostmount-anyuid-v2 verbs: - use {{- end }} diff --git a/helm/olmv1/values.yaml b/helm/olmv1/values.yaml index 7b6a2cb7e..146b5d316 100644 --- a/helm/olmv1/values.yaml +++ b/helm/olmv1/values.yaml @@ -66,10 +66,10 @@ deployments: nodeSelector: kubernetes.io/os: linux node-role.kubernetes.io/control-plane: "" + hostUsers: false securityContext: runAsNonRoot: true - seccompProfile: - type: RuntimeDefault + runAsUser: 1000 terminationGracePeriodSeconds: 10 tolerations: - effect: NoSchedule diff --git a/manifests/experimental-e2e.yaml b/manifests/experimental-e2e.yaml index 39ff01d61..4e995a9e4 100644 --- a/manifests/experimental-e2e.yaml +++ b/manifests/experimental-e2e.yaml @@ -2125,13 +2125,13 @@ spec: operator: In values: - linux + hostUsers: false nodeSelector: kubernetes.io/os: linux node-role.kubernetes.io/control-plane: "" securityContext: runAsNonRoot: true - seccompProfile: - type: RuntimeDefault + runAsUser: 1000 terminationGracePeriodSeconds: 10 tolerations: - effect: NoSchedule @@ -2284,13 +2284,13 @@ spec: operator: In values: - linux + hostUsers: false nodeSelector: kubernetes.io/os: linux node-role.kubernetes.io/control-plane: "" securityContext: runAsNonRoot: true - seccompProfile: - type: RuntimeDefault + runAsUser: 1000 terminationGracePeriodSeconds: 10 tolerations: - effect: NoSchedule diff --git a/manifests/experimental.yaml b/manifests/experimental.yaml index 86bba145d..16a4effbd 100644 --- a/manifests/experimental.yaml +++ b/manifests/experimental.yaml @@ -2038,13 +2038,13 @@ spec: operator: In values: - linux + hostUsers: false nodeSelector: kubernetes.io/os: linux node-role.kubernetes.io/control-plane: "" securityContext: runAsNonRoot: true - seccompProfile: - type: RuntimeDefault + runAsUser: 1000 terminationGracePeriodSeconds: 10 tolerations: - effect: NoSchedule @@ -2183,13 +2183,13 @@ spec: operator: In values: - linux + hostUsers: false nodeSelector: kubernetes.io/os: linux node-role.kubernetes.io/control-plane: "" securityContext: runAsNonRoot: true - seccompProfile: - type: RuntimeDefault + runAsUser: 1000 terminationGracePeriodSeconds: 10 tolerations: - effect: NoSchedule diff --git a/manifests/standard-e2e.yaml b/manifests/standard-e2e.yaml index 783beec51..5cea72b6b 100644 --- a/manifests/standard-e2e.yaml +++ b/manifests/standard-e2e.yaml @@ -1876,13 +1876,13 @@ spec: operator: In values: - linux + hostUsers: false nodeSelector: kubernetes.io/os: linux node-role.kubernetes.io/control-plane: "" securityContext: runAsNonRoot: true - seccompProfile: - type: RuntimeDefault + runAsUser: 1000 terminationGracePeriodSeconds: 10 tolerations: - effect: NoSchedule @@ -2029,13 +2029,13 @@ spec: operator: In values: - linux + hostUsers: false nodeSelector: kubernetes.io/os: linux node-role.kubernetes.io/control-plane: "" securityContext: runAsNonRoot: true - seccompProfile: - type: RuntimeDefault + runAsUser: 1000 terminationGracePeriodSeconds: 10 tolerations: - effect: NoSchedule diff --git a/manifests/standard.yaml b/manifests/standard.yaml index 95e400c26..162f7b0f5 100644 --- a/manifests/standard.yaml +++ b/manifests/standard.yaml @@ -1789,13 +1789,13 @@ spec: operator: In values: - linux + hostUsers: false nodeSelector: kubernetes.io/os: linux node-role.kubernetes.io/control-plane: "" securityContext: runAsNonRoot: true - seccompProfile: - type: RuntimeDefault + runAsUser: 1000 terminationGracePeriodSeconds: 10 tolerations: - effect: NoSchedule @@ -1928,13 +1928,13 @@ spec: operator: In values: - linux + hostUsers: false nodeSelector: kubernetes.io/os: linux node-role.kubernetes.io/control-plane: "" securityContext: runAsNonRoot: true - seccompProfile: - type: RuntimeDefault + runAsUser: 1000 terminationGracePeriodSeconds: 10 tolerations: - effect: NoSchedule