Merge pull request #635 from openshift-cherrypick-robot/cherry-pick-511-to-release-4.3

[release-4.3] BUG 1807762: Remove explicit securityContext and add granular securitycontextconstraints "use" permissions in machine-api-controllers clusterRole

install/0000_30_machine-api-operator_09_rbac.yaml

@@ -151,6 +151,16 @@ rules:
     - list
     - watch
 
+# the baremetal pod deployment uses hostNetwork, hostPort, and privileged
+  - apiGroups:
+      - security.openshift.io
+    resources:
+      - securitycontextconstraints
+    verbs:
+      - use
+    resourceNames:
+      - privileged
+
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role

install/0000_30_machine-api-operator_11_deployment.yaml

@@ -68,9 +68,6 @@ spec:
       nodeSelector:
         node-role.kubernetes.io/master: ""
       restartPolicy: Always
-      securityContext:
-        runAsNonRoot: true
-        runAsUser: 65534
       tolerations:
       - key: "node-role.kubernetes.io/master"
         operator: "Exists"

pkg/operator/sync.go

@@ -188,13 +188,9 @@ func newPodTemplateSpec(config *OperatorConfig, features map[string]bool) *corev
 			},
 		},
 		Spec: corev1.PodSpec{
-			Containers:        containers,
-			PriorityClassName: "system-node-critical",
-			NodeSelector:      map[string]string{"node-role.kubernetes.io/master": ""},
-			SecurityContext: &corev1.PodSecurityContext{
-				RunAsNonRoot: pointer.BoolPtr(true),
-				RunAsUser:    pointer.Int64Ptr(65534),
-			},
+			Containers:         containers,
+			PriorityClassName:  "system-node-critical",
+			NodeSelector:       map[string]string{"node-role.kubernetes.io/master": ""},
 			ServiceAccountName: "machine-api-controllers",
 			Tolerations:        tolerations,
 		},