WIP try to move our pods to nonroot-v2 profile

* Kolla needs sudo, sudo needs uid 0.
* Manually mapping uid 0 via annotation does not seem to work.

controllers/nova_controller.go

@@ -167,7 +167,7 @@ func (r *NovaReconciler) Reconcile(ctx context.Context, req ctrl.Request) (resul
 	rbacRules := []rbacv1.PolicyRule{
 		{
 			APIGroups:     []string{"security.openshift.io"},
-			ResourceNames: []string{"anyuid"},
+			ResourceNames: []string{"nonroot-v2"},
 			Resources:     []string{"securitycontextconstraints"},
 			Verbs:         []string{"use"},
 		},

pkg/novaconductor/dbsync.go

@@ -59,6 +59,11 @@ func CellDBSyncJob(
 		},
 		Spec: batchv1.JobSpec{
 			Template: corev1.PodTemplateSpec{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						"io.kubernetes.cri-o.userns-mode": "private:uidmapping=0:100000:90000;gidmapping=0:100000:90000",
+					},
+				},
 				Spec: corev1.PodSpec{
 					RestartPolicy:      corev1.RestartPolicyOnFailure,
 					ServiceAccountName: instance.Spec.ServiceAccount,
@@ -75,7 +80,11 @@ func CellDBSyncJob(
 							Args:  args,
 							Image: instance.Spec.ContainerImage,
 							SecurityContext: &corev1.SecurityContext{
-								RunAsUser: ptr.To(nova.NovaUserID),
+								RunAsUser:    ptr.To(nova.NovaUserID),
+								RunAsNonRoot: ptr.To(true),
+								SeccompProfile: &corev1.SeccompProfile{
+									Type: corev1.SeccompProfileTypeRuntimeDefault,
+								},
 							},
 							Env: env,
 							VolumeMounts: []corev1.VolumeMount{