From 9e37fc10bc5d9fd9d4393173cc8d62d3964c871d Mon Sep 17 00:00:00 2001
From: Ondra Kupka <okupka@redhat.com>
Date: Thu, 9 Oct 2025 15:28:56 +0200
Subject: [PATCH] manifests: Fix user namespaces for the operator

restricted-v3 annotation needs to be on the template level.
Also actually most of the securityContext fields are optional with
hostUsers: false, so these are now deleted.
---
 .../0000_25_kube-scheduler-operator_06_deployment.yaml      | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/manifests/0000_25_kube-scheduler-operator_06_deployment.yaml b/manifests/0000_25_kube-scheduler-operator_06_deployment.yaml
index c327e7fa0..7a838d0ee 100644
--- a/manifests/0000_25_kube-scheduler-operator_06_deployment.yaml
+++ b/manifests/0000_25_kube-scheduler-operator_06_deployment.yaml
@@ -9,7 +9,6 @@ metadata:
     include.release.openshift.io/self-managed-high-availability: "true"
     exclude.release.openshift.io/internal-openshift-hosted: "true"
     include.release.openshift.io/single-node-developer: "true"
-    openshift.io/required-scc: restricted-v3
 spec:
   replicas: 1
   selector:
@@ -20,15 +19,12 @@ spec:
       name: openshift-kube-scheduler-operator
       annotations:
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
+        openshift.io/required-scc: restricted-v3
       labels:
         app: openshift-kube-scheduler-operator
     spec:
       hostUsers: false
       securityContext:
-        runAsNonRoot: true
-        runAsUser: 1000
-        runAsGroup: 1000
-        fsGroup: 1000
         seccompProfile:
           type: RuntimeDefault    
       automountServiceAccountToken: false