OpenShift Operator creating StatefulSet with containers running as particular UID

[Anand Kumar]

Hello,

My team is developing an operator on OpenShift. For context this is an operator that will watch/create resources across the cluster. While reconciling the CR, the operator creates a StatefulSet that has a container that must run as a particular UID. Since we had only validated this operator on plain K8s before this, the StatefulSet's `serviceAccountName` field is just the default since we don't need any special permissions to set the UID.

I have looked into SecurityContextConstraints and their usage on OpenShift. For testing the operator, I've just been creating a RoleBinding that allows the `default` ServiceAccount to use the `anyuid` SCC. Based on this research, I've come up with the following changes that would be needed:

1. In the operator's helm chart, include the SecurityContextConstraint that allows creating a pod with the UID needed as a part. This will only be installed if the user sets some value indicating that it's running on OpenShift.

2. For each namespace where the CR is created, the operator will create a ServiceAccount called `bar` and a RoleBinding allowing it to use the SecurityContextConstraint installed above.

3. When the operator creates the StatefulSet in the target namespace, it will set `ServiceAccountName` to `bar` so that the right SA is used.

I'm mostly concerned with our operator having the ability to create RoleBindings, as this would be a newly granted permission we're adding. Is there a better practice here that I should be following?

Best,

Anand