Merge pull request openshift#703 from liouk/required-scc

openshift-merge-bot[bot] · web-flow · commit 7f5d2f79251b · 2024-04-23T14:44:56.000Z
AUTH-482: set required-scc for openshift workloads
diff --git a/manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml b/manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml
@@ -20,6 +20,7 @@ spec:
     metadata:
       annotations:
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
+        openshift.io/required-scc: restricted-v2
       labels:
         app: package-server-manager
     spec:
diff --git a/manifests/0000_50_olm_06-psm-operator.deployment.yaml b/manifests/0000_50_olm_06-psm-operator.deployment.yaml
@@ -19,6 +19,7 @@ spec:
     metadata:
       annotations:
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
+        openshift.io/required-scc: restricted-v2
       labels:
         app: package-server-manager
     spec:
diff --git a/manifests/0000_50_olm_07-collect-profiles.cronjob.yaml b/manifests/0000_50_olm_07-collect-profiles.cronjob.yaml
@@ -17,6 +17,7 @@ spec:
         metadata:
           annotations:
             target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
+            openshift.io/required-scc: restricted-v2
         spec:
           securityContext:
             runAsNonRoot: true
diff --git a/manifests/0000_50_olm_07-olm-operator.deployment.ibm-cloud-managed.yaml b/manifests/0000_50_olm_07-olm-operator.deployment.ibm-cloud-managed.yaml
@@ -22,6 +22,7 @@ spec:
         app: olm-operator
       annotations:
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
+        openshift.io/required-scc: restricted-v2
     spec:
       securityContext:
         runAsNonRoot: true
diff --git a/manifests/0000_50_olm_07-olm-operator.deployment.yaml b/manifests/0000_50_olm_07-olm-operator.deployment.yaml
@@ -21,6 +21,7 @@ spec:
         app: olm-operator
       annotations:
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
+        openshift.io/required-scc: restricted-v2
     spec:
       securityContext:
         runAsNonRoot: true
diff --git a/manifests/0000_50_olm_08-catalog-operator.deployment.ibm-cloud-managed.yaml b/manifests/0000_50_olm_08-catalog-operator.deployment.ibm-cloud-managed.yaml
@@ -22,6 +22,7 @@ spec:
         app: catalog-operator
       annotations:
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
+        openshift.io/required-scc: restricted-v2
     spec:
       securityContext:
         runAsNonRoot: true
diff --git a/manifests/0000_50_olm_08-catalog-operator.deployment.yaml b/manifests/0000_50_olm_08-catalog-operator.deployment.yaml
@@ -21,6 +21,7 @@ spec:
         app: catalog-operator
       annotations:
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
+        openshift.io/required-scc: restricted-v2
     spec:
       securityContext:
         runAsNonRoot: true
diff --git a/microshift-manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml b/microshift-manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml
@@ -20,6 +20,7 @@ spec:
     metadata:
       annotations:
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
+        openshift.io/required-scc: restricted-v2
       labels:
         app: package-server-manager
     spec:
diff --git a/microshift-manifests/0000_50_olm_06-psm-operator.deployment.yaml b/microshift-manifests/0000_50_olm_06-psm-operator.deployment.yaml
@@ -19,6 +19,7 @@ spec:
     metadata:
       annotations:
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
+        openshift.io/required-scc: restricted-v2
       labels:
         app: package-server-manager
     spec:
diff --git a/microshift-manifests/0000_50_olm_07-collect-profiles.cronjob.yaml b/microshift-manifests/0000_50_olm_07-collect-profiles.cronjob.yaml
@@ -17,6 +17,7 @@ spec:
         metadata:
           annotations:
             target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
+            openshift.io/required-scc: restricted-v2
         spec:
           securityContext:
             runAsNonRoot: true
diff --git a/microshift-manifests/0000_50_olm_07-olm-operator.deployment.ibm-cloud-managed.yaml b/microshift-manifests/0000_50_olm_07-olm-operator.deployment.ibm-cloud-managed.yaml
@@ -22,6 +22,7 @@ spec:
         app: olm-operator
       annotations:
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
+        openshift.io/required-scc: restricted-v2
     spec:
       securityContext:
         runAsNonRoot: true
diff --git a/microshift-manifests/0000_50_olm_07-olm-operator.deployment.yaml b/microshift-manifests/0000_50_olm_07-olm-operator.deployment.yaml
@@ -21,6 +21,7 @@ spec:
         app: olm-operator
       annotations:
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
+        openshift.io/required-scc: restricted-v2
     spec:
       securityContext:
         runAsNonRoot: true
diff --git a/microshift-manifests/0000_50_olm_08-catalog-operator.deployment.ibm-cloud-managed.yaml b/microshift-manifests/0000_50_olm_08-catalog-operator.deployment.ibm-cloud-managed.yaml
@@ -22,6 +22,7 @@ spec:
         app: catalog-operator
       annotations:
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
+        openshift.io/required-scc: restricted-v2
     spec:
       securityContext:
         runAsNonRoot: true
diff --git a/microshift-manifests/0000_50_olm_08-catalog-operator.deployment.yaml b/microshift-manifests/0000_50_olm_08-catalog-operator.deployment.yaml
@@ -21,6 +21,7 @@ spec:
         app: catalog-operator
       annotations:
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
+        openshift.io/required-scc: restricted-v2
     spec:
       securityContext:
         runAsNonRoot: true
diff --git a/pkg/manifests/csv.yaml b/pkg/manifests/csv.yaml
@@ -87,6 +87,7 @@ spec:
                   app: packageserver
                 annotations:
                   target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
+                  openshift.io/required-scc: restricted-v2
                 creationTimestamp: null
               spec:
                 securityContext:
diff --git a/scripts/catalog-deployment.patch.yaml b/scripts/catalog-deployment.patch.yaml
@@ -1,6 +1,8 @@
 - command: update
-  path: spec.template.metadata.annotations."target.workload.openshift.io/management"
-  value: '{"effect": "PreferredDuringScheduling"}'
+  path: spec.template.metadata.annotations
+  value:
+    target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
+    openshift.io/required-scc: restricted-v2
 - command: update
   path: spec.template.spec.priorityClassName
   value: system-cluster-critical
diff --git a/scripts/generate_crds_manifests.sh b/scripts/generate_crds_manifests.sh
@@ -136,6 +136,7 @@ spec:
     metadata:
       annotations:
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
+        openshift.io/required-scc: restricted-v2
       labels:
         app: package-server-manager
     spec:
@@ -381,6 +382,7 @@ spec:
         metadata:
           annotations:
             target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
+            openshift.io/required-scc: restricted-v2
         spec:
           securityContext:
             runAsNonRoot: true
diff --git a/scripts/olm-deployment.patch.yaml b/scripts/olm-deployment.patch.yaml
@@ -1,6 +1,8 @@
 - command: update
-  path: spec.template.metadata.annotations."target.workload.openshift.io/management"
-  value: '{"effect": "PreferredDuringScheduling"}'
+  path: spec.template.metadata.annotations
+  value:
+    target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
+    openshift.io/required-scc: restricted-v2
 - command: update
   path: spec.template.spec.priorityClassName
   value: system-cluster-critical
diff --git a/scripts/packageserver-deployment.patch.yaml b/scripts/packageserver-deployment.patch.yaml
@@ -1,6 +1,8 @@
 - command: update
-  path: spec.install.spec.deployments[0].spec.template.metadata.annotations."target.workload.openshift.io/management"
-  value: '{"effect": "PreferredDuringScheduling"}'
+  path: spec.install.spec.deployments[0].spec.template.metadata.annotations
+  value:
+    target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
+    openshift.io/required-scc: restricted-v2
 - command: update
   path: spec.install.spec.deployments[0].spec.template.spec.priorityClassName
   value: system-cluster-critical
