Scorecard container is not following PSA properly

[acornett21]

Bug Report

What did you do?

Running the latest version of operator-sdk that had a fix for scorecard PSA

operator-sdk scorecard quay.io/opdev/simple-demo-operator-bundle:v0.0.6 --pod-security=restricted --namespace=default

What did you expect to see?

I'd expect to see this spin up a scorecard pod and run tests properly. Instead it errors out with the below error.

 pods "scorecard-test-wkw7" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (containers "scorecard-untar", "scorecard-test" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "scorecard-untar", "scorecard-test" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "scorecard-untar", "scorecard-test" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "scorecard-untar", "scorecard-test" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

What did you see instead? Under which circumstances?

Environment

Operator type:

/language go
/language ansible
/language helm

Kubernetes cluster type:

$ operator-sdk version

operator-sdk version: "v1.27.0", commit: "5cbdad9209332043b7c730856b6302edc8996faf", kubernetes version: "1.25.0", go version: "go1.19.5", GOOS: "linux", GOARCH: "amd64"

$ go version (if language is Go)

$ kubectl version

oc version
Client Version: 4.8.11
Server Version: 4.13.0-ec.2
Kubernetes Version: v1.25.2+7dab57f

Possible Solution

SecurityContext needs to be added to the containers as well as adding a runas for the PodSecurityContext otherwise operator-sdk scorecard tests will never be able to run in the default namespace on clusters there PSA is enforced. So either operator-sdk makes a breaking change to not support the default namespace, or adds in the additional attributes needed to run properly there.

Additional context

Relates: #5939
Relates: #6187
Relates: #6181

[acornett21]

/assign