fix(helm): use same scc as olm (#620)

razvan · web-flow · commit b047f466a7c9 · 2024-08-09T16:12:39.000Z
diff --git a/deploy/helm/opa-operator/templates/roles.yaml b/deploy/helm/opa-operator/templates/roles.yaml
@@ -101,52 +101,6 @@ rules:
     resourceNames:
       - {{ include "operator.name" . }}-clusterrole
 
-{{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }}
----
-apiVersion: security.openshift.io/v1
-kind: SecurityContextConstraints
-metadata:
-  name: opa-scc
-  labels:
-  {{- include "operator.labels" . | nindent 4 }}
-  annotations:
-    kubernetes.io/description: |-
-      This resource is derived from hostmount-anyuid. It provides all the features of the
-      restricted SCC but allows host mounts and any UID by a pod.  This is primarily
-      used by the persistent volume recycler. WARNING: this SCC allows host file
-      system access as any UID, including UID 0.  Grant with caution.
-    release.openshift.io/create-only: "true"
-allowHostDirVolumePlugin: true
-allowHostIPC: false
-allowHostNetwork: false
-allowHostPID: false
-allowHostPorts: false
-allowPrivilegeEscalation: true
-allowPrivilegedContainer: false
-allowedCapabilities: null
-defaultAddCapabilities: null
-fsGroup:
-  type: RunAsAny
-groups: []
-priority: null
-readOnlyRootFilesystem: false
-runAsUser:
-  type: RunAsAny
-seLinuxContext:
-  type: MustRunAs
-supplementalGroups:
-  type: RunAsAny
-volumes:
-  - configMap
-  - downwardAPI
-  - emptyDir
-  - hostPath
-  - nfs
-  - persistentVolumeClaim
-  - projected
-  - secret
-  - ephemeral
-{{ end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -177,7 +131,7 @@ rules:
     resources:
       - securitycontextconstraints
     resourceNames:
-      - opa-scc
+      - nonroot-v2
     verbs:
       - use
 {{ end }}
