bindata: Use restricted-v3 scc for deployments

tchap · tchap · commit f72a6563de2e · 2025-11-11T15:47:13.000+01:00
This effectively enforces user namespaces.
diff --git a/bindata/assets/deployments/console-deployment.yaml b/bindata/assets/deployments/console-deployment.yaml
@@ -21,13 +21,14 @@ spec:
         component: ui
       annotations:
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
-        openshift.io/required-scc: restricted-v2
+        openshift.io/required-scc: restricted-v3
     spec:
       nodeSelector:
         node-role.kubernetes.io/master: ""
       restartPolicy: Always
       serviceAccountName: console
       schedulerName: default-scheduler
+      hostUsers: false
       securityContext:
         runAsNonRoot: true
         seccompProfile:
diff --git a/bindata/assets/deployments/downloads-deployment.yaml b/bindata/assets/deployments/downloads-deployment.yaml
@@ -22,12 +22,13 @@ spec:
         component: downloads
       annotations:
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
-        openshift.io/required-scc: restricted-v2
+        openshift.io/required-scc: restricted-v3
     spec:
       nodeSelector:
         kubernetes.io/os: linux
         node-role.kubernetes.io/master: ""
       terminationGracePeriodSeconds: 0
+      hostUsers: false
       securityContext:
         runAsNonRoot: true
         seccompProfile:
diff --git a/pkg/console/subresource/deployment/deployment_test.go b/pkg/console/subresource/deployment/deployment_test.go
@@ -137,7 +137,7 @@ func TestDefaultDeployment(t *testing.T) {
 		infrastructureConfigResourceVersionAnnotation:  "",
 		consoleImageAnnotation:                         "",
 		workloadManagementAnnotation:                   workloadManagementAnnotationValue,
-		requiredSCCAnnotation:                          "restricted-v2",
+		requiredSCCAnnotation:                          "restricted-v3",
 	}
 
 	consoleDeploymentAffinity := &corev1.Affinity{
@@ -244,6 +244,7 @@ func TestDefaultDeployment(t *testing.T) {
 							RestartPolicy:                 corev1.RestartPolicyAlways,
 							SchedulerName:                 corev1.DefaultSchedulerName,
 							TerminationGracePeriodSeconds: &gracePeriod,
+							HostUsers:                     ptr.To(false),
 							SecurityContext: &corev1.PodSecurityContext{
 								RunAsNonRoot: utilpointer.Bool(true),
 								SeccompProfile: &corev1.SeccompProfile{
@@ -322,6 +323,7 @@ func TestDefaultDeployment(t *testing.T) {
 							RestartPolicy:                 corev1.RestartPolicyAlways,
 							SchedulerName:                 corev1.DefaultSchedulerName,
 							TerminationGracePeriodSeconds: &gracePeriod,
+							HostUsers:                     ptr.To(false),
 							SecurityContext: &corev1.PodSecurityContext{
 								RunAsNonRoot: utilpointer.Bool(true),
 								SeccompProfile: &corev1.SeccompProfile{
@@ -400,6 +402,7 @@ func TestDefaultDeployment(t *testing.T) {
 							RestartPolicy:                 corev1.RestartPolicyAlways,
 							SchedulerName:                 corev1.DefaultSchedulerName,
 							TerminationGracePeriodSeconds: &gracePeriod,
+							HostUsers:                     ptr.To(false),
 							SecurityContext: &corev1.PodSecurityContext{
 								RunAsNonRoot: utilpointer.Bool(true),
 								SeccompProfile: &corev1.SeccompProfile{
@@ -471,6 +474,7 @@ func TestDefaultDeployment(t *testing.T) {
 							RestartPolicy:                 corev1.RestartPolicyAlways,
 							SchedulerName:                 corev1.DefaultSchedulerName,
 							TerminationGracePeriodSeconds: &gracePeriod,
+							HostUsers:                     ptr.To(false),
 							SecurityContext: &corev1.PodSecurityContext{
 								RunAsNonRoot: utilpointer.Bool(true),
 								SeccompProfile: &corev1.SeccompProfile{
@@ -1627,6 +1631,7 @@ func TestDefaultDownloadsDeployment(t *testing.T) {
 				TolerationSeconds: &tolerationSeconds,
 			},
 		},
+		HostUsers: ptr.To(false),
 		SecurityContext: &corev1.PodSecurityContext{
 			RunAsNonRoot: utilpointer.Bool(true),
 			SeccompProfile: &corev1.SeccompProfile{
@@ -1742,7 +1747,7 @@ func TestDefaultDownloadsDeployment(t *testing.T) {
 							Labels: labels,
 							Annotations: map[string]string{
 								workloadManagementAnnotation: workloadManagementAnnotationValue,
-								requiredSCCAnnotation:        "restricted-v2",
+								requiredSCCAnnotation:        "restricted-v3",
 							},
 						},
 						Spec: downloadsDeploymentPodSpecSingleReplica,
@@ -1785,7 +1790,7 @@ func TestDefaultDownloadsDeployment(t *testing.T) {
 							Labels: labels,
 							Annotations: map[string]string{
 								workloadManagementAnnotation: workloadManagementAnnotationValue,
-								requiredSCCAnnotation:        "restricted-v2",
+								requiredSCCAnnotation:        "restricted-v3",
 							},
 						},
 						Spec: *downloadsDeploymentPodSpecHighAvail,
