CNTRLPLANE-1544: manifests: Use restricted-v3 scc for deployment

[tchap]

This effectively enforces user namespace.

[openshift-ci-robot]

@tchap: This pull request references CNTRLPLANE-1544 which is a valid jira issue.

Details

In response to this:

This effectively enforces user namespace.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

The config operator deployment manifest has been updated with enhanced security constraints. Changes include updating the required SCC annotation from nonroot-v2 to restricted-v3, adding spec.hostUsers: false, and removing the specific securityContext.runAsUser value while maintaining runAsNonRoot: true.

Changes

Cohort / File(s)	Summary
Security Configuration Updates manifests/0000_10_config-operator_07_deployment.yaml	Updated SCC annotation from nonroot-v2 to restricted-v3; added spec.hostUsers: false; removed securityContext.runAsUser: 65534

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

• Verify that the stricter SCC annotation (restricted-v3) is compatible with the config operator's runtime requirements
• Confirm that removing the explicit runAsUser value does not cause unexpected permission or execution issues
• Validate that hostUsers: false aligns with operational constraints and doesn't break pod networking or process isolation

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 347bebc and f1f99d6.

📒 Files selected for processing (1)

• manifests/0000_10_config-operator_07_deployment.yaml (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• manifests/0000_10_config-operator_07_deployment.yaml

🔇 Additional comments (1)

manifests/0000_10_config-operator_07_deployment.yaml (1)

24-24: No issues found—SCC and user namespace changes are compatible with the operator.

The operator code contains no hardcoded UID/GID assumptions, file permission operations, or host-level resource access. The deployment enforces runAsNonRoot: true with hostUsers: false, enabling user namespace isolation while keeping capabilities dropped to ["ALL"] and blocking privilege escalation. The change from nonroot-v2 to restricted-v3 SCC is safe and aligns with the security hardening objective.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[tchap]

/retest

[tchap]

/retest

[tchap]

/retest

[ropatil010]

/test e2e-aws-serial-techpreview-1of2

[openshift-ci]

@tchap: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[JoelSpeed]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: JoelSpeed, tchap

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [JoelSpeed]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment