Remove specific UID from cluster-storage-operator

[jsafrane]

OCP will assign its own UID to the Pod. This helps in HyperShift, where UIDs of different guest control planes should be different.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jsafrane

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [jsafrane]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jsafrane]

cc @openshift/storage

[jsafrane]

/label docs-approved
/label px-approved
this is not a user-facing change

[gnufied]

CSO seems to be running in nonroot-v2 SCC , which has following policies:

fsGroup:
  type: RunAsAny

Have you tested if this still results in assigning a fsgroup to the pod?

[jsafrane]

Yes, CI shows that CSO runs with some fsGroup:

https://prow.ci.openshift.org/view/gs/origin-ci-test/pr-logs/pull/openshift_cluster-storage-operator/316/pull-ci-openshift-cluster-storage-operator-master-e2e-azure-csi/1570712022071382016

https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/origin-ci-test/pr-logs/pull/openshift_cluster-storage-operator/316/pull-ci-openshift-cluster-storage-operator-master-e2e-azure-csi/1570712022071382016/artifacts/e2e-azure-csi/gather-extra/artifacts/pods.json

                "name": "cluster-storage-operator-6db7799b89-rxmhq",
                "namespace": "openshift-cluster-storage-operator",
...

                "securityContext": {
                    "fsGroup": 1000150000,
                    "runAsNonRoot": true,
                    "seLinuxOptions": {
                        "level": "s0:c12,c9"
                    },
                    "seccompProfile": {
                        "type": "RuntimeDefault"
                    }
                },
                "serviceAccount": "cluster-storage-operator",
                "serviceAccountName": "cluster-storage-operator",

[jsafrane]

BTW, SCC changed to:

                    "openshift.io/scc": "restricted-v2",

[gnufied]

/lgtm

[jsafrane]

/retest-required

[ropatil010]

/label qe-approved

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 53afa77 and 2 for PR HEAD 8ce29fb in total

[jsafrane]

/retest

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 401cb8b and 1 for PR HEAD 8ce29fb in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 87e0c41 and 0 for PR HEAD 8ce29fb in total

[openshift-ci-robot]

/hold

Revision 8ce29fb was retested 3 times: holding

[jsafrane]

/hold cancel
/retest

[openshift-ci]

@jsafrane: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.