AUTH-482: Move required-scc annotation from deployment to pod

[jacobsee]

Move required-scc from the deployment annotations to the pod annotations where it is required.

Follow-up - I see a newTerminationPodTemplateSpec in here that looks like it does things that require more than restricted-v2 privileges would grant... Is that function exercised in the nightly CI for any SCC issues to be caught? If not, what would be the appropriate SCC to pin that workload to?

[openshift-ci-robot]

@jacobsee: This pull request references AUTH-482 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target either version "4.19." or "openshift-4.19.", but it targets "openshift-4.16" instead.

In response to this:

Move required-scc from the deployment annotations to the pod annotations where it is required.

Follow-up - I see a newTerminationPodTemplateSpec in here that looks like it does things that require more than restricted-v2 privileges would grant... Is that function exercised in the nightly CI for any SCC issues to be caught? If not, what would be the appropriate SCC to pin that workload to?

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign elmiko for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @jacobsee. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[JoelSpeed]

The termination pod is deployed only when spot instances are used. As far as I'm aware, a significant amount of CI runs on spot instances, but I'm not certain if that includes the nightlies.

We have E2E on this repository that exercises this (-operator), so I would expect any SCC errors to come up there if we had the wrong annotation

[openshift-ci]

@jacobsee: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/security	b366df2	link	true	/test security

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.