SCC-pinning for openshift workloads

[kramaranya]

This PR explicitly sets the required SCC to be used to admit pods. The SCC chosen is the one that the pods are already getting admitted with, which means that this brings no change to the SCC used.

In some cases, custom SCCs can have higher priority than default SCCs, which means that they will be chosen over the default ones. This can lead to unexpected results; in order to protect openshift workloads from this, we must explicitly pin the required SCC to all our workloads in order to make sure that the expected one will be used.

[github-actions]

Thanks for your PR,
To run vendors CIs, Maintainers can use one of:

• /test-all: To run all tests for all vendors.
• /test-e2e-all: To run all E2E tests for all vendors.
• /test-e2e-nvidia-all: To run all E2E tests for NVIDIA vendor.

To skip the vendors CIs, Maintainers can use one of:

• /skip-all: To skip all tests for all vendors.
• /skip-e2e-all: To skip all E2E tests for all vendors.
• /skip-e2e-nvidia-all: To skip all E2E tests for NVIDIA vendor.
  Best regards.

[zeeke]

These changes are about setting a SecurityContextContraint for the operator's workload, in order to avoid getting assigned one by a custom priority. See [1] and [2].
Also, having the openshift.io/required-scc annotation in a non-Openshift cluster should be harmless, hence no need to add { if .IsOpenshift } statements.

@kramaranya can you confirm my statement? Is there any other information that can be useful for reviewing this?

[1] https://docs.openshift.com/container-platform/4.16/authentication/managing-security-context-constraints.html#scc-prioritization_configuring-internal-oauth
[2] https://docs.openshift.com/container-platform/4.16/authentication/managing-security-context-constraints.html#default-sccs_configuring-internal-oauth

[coveralls]

Pull Request Test Coverage Report for Build 10317864792

Details

• 0 of 0 changed or added relevant lines in 0 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage remained the same at 45.189%

---

Totals
Change from base Build 10305741803:	0.0%
Covered Lines:	6532
Relevant Lines:	14455

---

💛 - Coveralls

[kramaranya]

@zeeke you are absolutely right, thanks for gathering this information.

Here is a jira AUTH-482, which might be useful for reviewing this. I have also updated a description of pr.

[SchSeba]

I think we also need this on the operator itself so please add it in the right place of the operator yamls

[zeeke]

Only one comment from my side, then LGTM.

@adrianchiris , @ykulazhenkov can you take a look at this? These annotations should not harm non-OpenShift deployments.

[ykulazhenkov]

LGTM