Set SCC allowPrivilegeEscalation to true when container build enabled

[amisevsk]

What does this PR do?

Sets allowPrivilegeEscalation: true in the pod security context when DisableContainerBuildCapabilities is false. This was incorrectly set to false in https://github.com/eclipse-che/che-operator/pull/1576, as the container-buildSCC containsallowPrivilegeEscalation: true`.

What issues does this PR fix or reference?

Closes eclipse-che/che#21927

How to test this PR?

1. Start a workspace
2. Open terminal and test that podman images succeeds (potentially with warnings) and prints an empty list of images rather than an error.

PR Checklist

As the author of this Pull Request I made sure that:

• The Eclipse Contributor Agreement is valid
• Code produced is complete
• Code builds without errors
• Tests are covering the bugfix
• Development resource are up to date
• The repository devfile is up to date and works
• Sections What issues does this PR fix or reference and How to test this PR completed
• Relevant user documentation updated
• Relevant contributing documentation updated
• CI/CD changes implemented, documented and communicated

Reviewers

Reviewers, please comment how you tested the PR when approving it.

[amisevsk]

Once merged, likely needs a backport to 7.59.x

[amisevsk]

/test v11-devworkspace-happy-path

[codecov]

Codecov Report

Merging #1596 (ce85af2) into main (c0e1de8) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main    #1596   +/-   ##
=======================================
  Coverage   58.95%   58.95%           
=======================================
  Files          73       73           
  Lines        8614     8614           
=======================================
  Hits         5078     5078           
  Misses       3190     3190           
  Partials      346      346           

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: amisevsk, ibuziuk, tolusha

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[devstudio-release]

Build 3.5 :: operator_3.x/170: Console, Changes, Git Data

[devstudio-release]

Build 3.5 :: sync-to-downstream_3.x/1965: Console, Changes, Git Data

[devstudio-release]

Build 3.5 :: get-sources-rhpkg-container-build_3.x/1895: Console, Changes, Git Data

[devstudio-release]

Build 3.5 :: push-latest-container-to-quay_3.x/1513: Console, Changes, Git Data

[devstudio-release]

Build 3.5 :: push-latest-container-to-quay_3.x/1513:

Copied: devspaces-rhel8-operator; /job/DS_CI/job/update-digests_3.x triggered;
/job/DS_CI/job/Releng/job/copyIIBsToQuay triggered for OCP v4.12 v4.11 v4.10

[devstudio-release]

Build 3.5 :: update-digests_3.x/1841: Console, Changes, Git Data

[devstudio-release]

Build 3.5 :: copyIIBsToQuay/653: Console, Changes, Git Data

[devstudio-release]

Build 3.5 :: get-sources-rhpkg-container-build_3.x/1895:

devspaces-operator : 3.x :: Build 49999325 : quay.io/devspaces/devspaces-rhel8-operator:3.5-17
SUCCESS; copied to quay; /DS_CI/push-latest-container-to-quay_3.x/1513 triggered

[devstudio-release]

Build 3.5 :: sync-to-downstream_3.x/1965:

Build container: devspaces-operator synced; /DS_CI/get-sources-rhpkg-container-build_3.x/1895 triggered;

[devstudio-release]

Build 3.5 :: operator_3.x/170:

Upstream sync done; /DS_CI/sync-to-downstream_3.x/1965 triggered

[devstudio-release]

Build 3.5 :: operator-bundle_3.x/764: Console, Changes, Git Data

[devstudio-release]

Build 3.5 :: sync-to-downstream_3.x/1966: Console, Changes, Git Data

[devstudio-release]

Build 3.5 :: get-sources-rhpkg-container-build_3.x/1896: Console, Changes, Git Data

[devstudio-release]

Build 3.5 :: push-latest-container-to-quay_3.x/1514: Console, Changes, Git Data

[devstudio-release]

Build 3.5 :: copyIIBsToQuay/653:

arches = x86_64, s390x, ppc64le;
  * LATEST DS OPERATOR BUNDLE = <a href=https://quay.io/repository/devspaces/devspaces-operator-bundle?tab=tags>registry-proxy.engineering.redhat.com/rh-osbs/devspaces-operator-bundle:3.5-57
  * LATEST DWO OPERATOR BUNDLE = <a href=https://quay.io/repository/devworkspace/devworkspace-operator-bundle?tab=tags>registry-proxy.engineering.redhat.com/rh-osbs/devworkspace-operator-bundle:0.18-2
+ s390x-rhel8 IIB(s) copied:
  + quay.io/devspaces/iib:3.5-v4.12-411504-410106-s390x
  + quay.io/devspaces/iib:3.5-v4.11-411501-410097-s390x
  + quay.io/devspaces/iib:3.5-v4.10-411499-410093-s390x
+ ppc64le-rhel8 IIB(s) copied:
  + quay.io/devspaces/iib:3.5-v4.12-411504-410106-ppc64le
  + quay.io/devspaces/iib:3.5-v4.11-411501-410097-ppc64le
  + quay.io/devspaces/iib:3.5-v4.10-411499-410093-ppc64le
  * LATEST DS OPERATOR BUNDLE = <a href=https://quay.io/repository/devspaces/devspaces-operator-bundle?tab=tags>registry-proxy.engineering.redhat.com/rh-osbs/devspaces-operator-bundle:3.5-58
+ x86_64-rhel8 IIB(s) copied:
  + quay.io/devspaces/iib:3.5-v4.12-411504-410106-x86_64
  + quay.io/devspaces/iib:3.5-v4.12-x86_64
  + quay.io/devspaces/iib:3.5-v4.11-411501-410097-x86_64
  + quay.io/devspaces/iib:3.5-v4.10-411499-410093-x86_64

[devstudio-release]

Build 3.5 :: copyIIBsToQuay/654: Console, Changes, Git Data

[devstudio-release]

Build 3.5 :: push-latest-container-to-quay_3.x/1514:

Copied: devspaces-operator-bundle; bundle-generated updated;
/job/DS_CI/job/Releng/job/copyIIBsToQuay triggered for OCP v4.12 v4.11 v4.10

[devstudio-release]

Build 3.5 :: get-sources-rhpkg-container-build_3.x/1896:

devspaces-operator-bundle : 3.x :: Build 49999948 : quay.io/devspaces/devspaces-operator-bundle:3.5-58
SUCCESS; copied to quay; /DS_CI/push-latest-container-to-quay_3.x/1514 triggered;

Bundle CSV related images:
- quay.io/devspaces/code-rhel8:3.5-4
- quay.io/devspaces/configbump-rhel8:3.5-5
- quay.io/devspaces/dashboard-rhel8:3.5-9
- quay.io/devspaces/devfileregistry-rhel8:3.5-31
- quay.io/devspaces/devspaces-rhel8-operator:3.5-17
- quay.io/devspaces/idea-rhel8:3.5-17
- quay.io/devspaces/machineexec-rhel8:3.5-6
- quay.io/devspaces/pluginregistry-rhel8:3.5-9
- quay.io/devspaces/server-rhel8:3.5-11
- quay.io/devspaces/theia-endpoint-rhel8:3.5-2
- quay.io/devspaces/theia-rhel8:3.5-2
- quay.io/devspaces/traefik-rhel8:3.5-5
- quay.io/devspaces/udi-rhel8:3.5-6
= registry.redhat.io/devworkspace/devworkspace-rhel8-operator:0.17-2
= registry.redhat.io/openshift4/ose-kube-rbac-proxy:v4.11.0-202212070335.p0.ga805ba5.assembly.stream
= registry.redhat.io/openshift4/ose-oauth-proxy:v4.11.0-202212070335.p0.gaad1b28.assembly.stream
= registry.redhat.io/rhel8/postgresql-13:1-91.1669834637
= registry.redhat.io/rhel8/postgresql-96:1-159
= registry.redhat.io/rhscl/mongodb-36-rhel7:1-50
= registry.redhat.io/ubi8/ubi-minimal:8.6-994

[devstudio-release]

Build 3.5 :: sync-to-downstream_3.x/1966:

Build container: devspaces-operator-bundle synced; /DS_CI/get-sources-rhpkg-container-build_3.x/1896 triggered; /job/DS_CI/job/dsc_3.x triggered;

[devstudio-release]

Build 3.5 :: operator-bundle_3.x/764:

Upstream sync done; /DS_CI/sync-to-downstream_3.x/1966 triggered

[devstudio-release]

Build 3.5 :: dsc_3.x/559: Console, Changes, Git Data

[devstudio-release]

Build 3.5 :: update-digests_3.x/1841:

Detected new images: rebuild operator-bundle
* dashboard
* devspaces-operator; /DS_CI/operator-bundle_3.x/764 triggered

[devstudio-release]

Build 3.5 :: dsc_3.x/559:

3.5.0 CI

[devstudio-release]

Build 3.5 :: copyIIBsToQuay/654:

arches = x86_64, s390x, ppc64le;
  * LATEST DS OPERATOR BUNDLE = <a href=https://quay.io/repository/devspaces/devspaces-operator-bundle?tab=tags>registry-proxy.engineering.redhat.com/rh-osbs/devspaces-operator-bundle:3.5-58
  * LATEST DWO OPERATOR BUNDLE = <a href=https://quay.io/repository/devworkspace/devworkspace-operator-bundle?tab=tags>registry-proxy.engineering.redhat.com/rh-osbs/devworkspace-operator-bundle:0.18-2
+ x86_64-rhel8 IIB(s) copied:
  + quay.io/devspaces/iib:3.5-v4.12-411504-410106-x86_64
  + quay.io/devspaces/iib:3.5-v4.11-411648-410097-x86_64
  + quay.io/devspaces/iib:3.5-v4.11-x86_64
  + quay.io/devspaces/iib:next-v4.11-x86_64
  + quay.io/devspaces/iib:3.5-v4.10-411645-410093-x86_64
  + quay.io/devspaces/iib:3.5-v4.10-x86_64
  + quay.io/devspaces/iib:next-v4.10-x86_64
+ ppc64le-rhel8 IIB(s) copied:
  + quay.io/devspaces/iib:3.5-v4.12-411651-410106-ppc64le
  + quay.io/devspaces/iib:3.5-v4.12-ppc64le
  + quay.io/devspaces/iib:next-v4.12-ppc64le
  + quay.io/devspaces/iib:3.5-v4.11-411648-410097-ppc64le
  + quay.io/devspaces/iib:3.5-v4.11-ppc64le
  + quay.io/devspaces/iib:next-v4.11-ppc64le
  + quay.io/devspaces/iib:3.5-v4.10-411645-410093-ppc64le
  + quay.io/devspaces/iib:3.5-v4.10-ppc64le
  + quay.io/devspaces/iib:next-v4.10-ppc64le
+ s390x-rhel8 IIB(s) copied:
  + quay.io/devspaces/iib:3.5-v4.12-411651-410106-s390x
  + quay.io/devspaces/iib:3.5-v4.12-s390x
  + quay.io/devspaces/iib:next-v4.12-s390x
  + quay.io/devspaces/iib:3.5-v4.11-411648-410097-s390x
  + quay.io/devspaces/iib:3.5-v4.11-s390x
  + quay.io/devspaces/iib:next-v4.11-s390x
  + quay.io/devspaces/iib:3.5-v4.10-411645-410093-s390x
  + quay.io/devspaces/iib:3.5-v4.10-s390x
  + quay.io/devspaces/iib:next-v4.10-s390x