From f1f99d6a72a9dc48079ef719379ec0be777d2596 Mon Sep 17 00:00:00 2001
From: Ondra Kupka <okupka@redhat.com>
Date: Tue, 11 Nov 2025 15:07:36 +0100
Subject: [PATCH] manifests: Use restricted-v3 scc for deployment

This effectively enforces user namespace.
---
 manifests/0000_10_config-operator_07_deployment.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/manifests/0000_10_config-operator_07_deployment.yaml b/manifests/0000_10_config-operator_07_deployment.yaml
index 8633c4420..beff6ef80 100644
--- a/manifests/0000_10_config-operator_07_deployment.yaml
+++ b/manifests/0000_10_config-operator_07_deployment.yaml
@@ -21,13 +21,13 @@ spec:
       name: openshift-config-operator
       annotations:
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
-        openshift.io/required-scc: nonroot-v2
+        openshift.io/required-scc: restricted-v3
       labels:
         app: openshift-config-operator
     spec:
+      hostUsers: false
       securityContext:
         runAsNonRoot: true
-        runAsUser: 65534
         seccompProfile:
           type: RuntimeDefault
       serviceAccountName: openshift-config-operator