From 882592f5311804ca586dca82a1ff3bed1c92db31 Mon Sep 17 00:00:00 2001
From: Ondra Kupka <okupka@redhat.com>
Date: Tue, 11 Nov 2025 15:14:13 +0100
Subject: [PATCH] manifest: Use restricted-v3 scc for the operator

This effectively enforces user namespaces.
---
 manifests/07-operator-ibm-cloud-managed.yaml | 3 ++-
 manifests/07-operator.yaml                   | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/manifests/07-operator-ibm-cloud-managed.yaml b/manifests/07-operator-ibm-cloud-managed.yaml
index eabfb01e16..d19234150a 100644
--- a/manifests/07-operator-ibm-cloud-managed.yaml
+++ b/manifests/07-operator-ibm-cloud-managed.yaml
@@ -17,7 +17,7 @@ spec:
   template:
     metadata:
       annotations:
-        openshift.io/required-scc: restricted-v2
+        openshift.io/required-scc: restricted-v3
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
       labels:
         name: console-operator
@@ -75,6 +75,7 @@ spec:
           name: serving-cert
         - mountPath: /etc/pki/ca-trust/extracted/pem
           name: trusted-ca
+      hostUsers: false
       priorityClassName: system-cluster-critical
       securityContext:
         runAsNonRoot: true
diff --git a/manifests/07-operator.yaml b/manifests/07-operator.yaml
index 82d03645c2..e48fd7b650 100644
--- a/manifests/07-operator.yaml
+++ b/manifests/07-operator.yaml
@@ -17,7 +17,7 @@ spec:
     metadata:
       annotations:
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
-        openshift.io/required-scc: restricted-v2
+        openshift.io/required-scc: restricted-v3
       labels:
         name: console-operator
     spec:
@@ -39,6 +39,7 @@ spec:
           operator: "Exists"
           effect: "NoExecute"
           tolerationSeconds: 120
+      hostUsers: false
       priorityClassName: system-cluster-critical
       serviceAccountName: console-operator
       containers: