clear out tenant security context

add scc needed to run tenant

developer/openshift/operators/minio/tenant/kustomization.yaml

@@ -4,3 +4,4 @@ kind: Kustomization
 resources:
   - namespace.yaml
   - tenant.yaml
+  - tenant-permissions.yaml

developer/openshift/operators/minio/tenant/tenant-permissions.yaml

@@ -0,0 +1,35 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: minio
+  namespace: tekton-results
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: minio
+  namespace: tekton-results
+rules:
+  - apiGroups:
+      - security.openshift.io
+    resourceNames:
+      - nonroot
+    resources:
+      - securitycontextconstraints
+    verbs:
+      - use
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: minio
+  namespace: tekton-results
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: minio
+subjects:
+  - kind: ServiceAccount
+    name: minio
+    namespace: tekton-results

developer/openshift/operators/minio/tenant/tenant.yaml

@@ -44,7 +44,7 @@ spec:
   imagePullSecret: {}
   mountPath: /export
   subPath: ""
-  serviceAccountName: ""
+  serviceAccountName: "minio"
   pools:
     - servers: 1
       name: pool-0
@@ -67,8 +67,5 @@ spec:
             requests:
               storage: 1Gi
         status: {}
-      securityContext:
-        runAsNonRoot: true
-        runAsUser: 1000630001
-        runAsGroup: 1000630002
+      securityContext: {}
   requestAutoCert: true

operator/gitops/compute/pipeline-service-manager/role.yaml

@@ -110,6 +110,14 @@ rules:
       - "get"
       - "create"
       - "update"
+  - apiGroups:
+      - security.openshift.io
+    resourceNames:
+      - nonroot
+    resources:
+      - securitycontextconstraints
+    verbs:
+      - use
   - apiGroups:
       - pipelinesascode.tekton.dev
     resources: