diff --git a/install/0000_30_machine-api-operator_09_rbac.yaml b/install/0000_30_machine-api-operator_09_rbac.yaml
index 11bc126dba03a2872d6f5d265bc6b9bf84c41eed..1faf7af88fa9d6177bfedf73a4e54d7f44d2648f 100644
--- a/install/0000_30_machine-api-operator_09_rbac.yaml
+++ b/install/0000_30_machine-api-operator_09_rbac.yaml
@@ -151,6 +151,16 @@ rules:
- list
- watch
+# the baremetal pod deployment uses hostNetwork, hostPort, and privileged
+ - apiGroups:
+ - security.openshift.io
+ resources:
+ - securitycontextconstraints
+ verbs:
+ - use
+ resourceNames:
+ - privileged
+
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
diff --git a/install/0000_30_machine-api-operator_11_deployment.yaml b/install/0000_30_machine-api-operator_11_deployment.yaml
index e1b3603928fe6dbd6398e99937d66d50ed7c8e3d..6f3458f8a2289a6bbae59f58772054c3f44f5692 100644
--- a/install/0000_30_machine-api-operator_11_deployment.yaml
+++ b/install/0000_30_machine-api-operator_11_deployment.yaml
@@ -68,9 +68,6 @@ spec:
nodeSelector:
node-role.kubernetes.io/master: ""
restartPolicy: Always
- securityContext:
- runAsNonRoot: true
- runAsUser: 65534
tolerations:
- key: "node-role.kubernetes.io/master"
operator: "Exists"
diff --git a/pkg/operator/sync.go b/pkg/operator/sync.go
index 89c1b1f09fca8d33548164f80129b898d1e84e45..1a961c55bb028b5b42fe1c92aff98fc676654d82 100644
--- a/pkg/operator/sync.go
+++ b/pkg/operator/sync.go
@@ -188,13 +188,9 @@ func newPodTemplateSpec(config *OperatorConfig, features map[string]bool) *corev
},
},
Spec: corev1.PodSpec{
- Containers: containers,
- PriorityClassName: "system-node-critical",
- NodeSelector: map[string]string{"node-role.kubernetes.io/master": ""},
- SecurityContext: &corev1.PodSecurityContext{
- RunAsNonRoot: pointer.BoolPtr(true),
- RunAsUser: pointer.Int64Ptr(65534),
- },
+ Containers: containers,
+ PriorityClassName: "system-node-critical",
+ NodeSelector: map[string]string{"node-role.kubernetes.io/master": ""},
ServiceAccountName: "machine-api-controllers",
Tolerations: tolerations,
},