With the operator-framework/operator-registry#974 in opm being copied to a /tmp
folder rather than / (root), a registry pod created in a namespace labled
enforce:restricted for the Pod Security Admission controller is created by
the catalog operator with the (appropriate securityContext details) https://github.com/operator-framework/operator-lifecycle-manager/pull/2820/files#diff-fffdeef1fc140a5dc5dc92dda323f567a6e46fc2ecbb0b91ba907acd02bde50dR185-R210
to run it in restricted mode.

However, Catalogs built with a version of opm that does not contain the above
change still needs privileged permission to run in a namespace that has to
be labeled as enforce:privileged for the PSA controller.

This PR introduces a new field, spec.runAsRoot, so that admins can indiciate
their intent to allow to run the old CatalogSource in a privileged mode.
When the catalog operator sees this field set to true, it will not set the
securityContext in the registry pod to runAsNonRoot:true. Instead, it will
set the securityContext to runAsNonRoot:false.

Description of the change:

Motivation for the change:

Architectural changes:

Testing remarks:

Reviewer Checklist

• Implementation matches the proposed design, or proposal is updated to match implementation
• Sufficient unit test coverage
• Sufficient end-to-end test coverage
• Bug fixes are accompanied by regression test(s)
• e2e tests and flake fixes are accompanied evidence of flake testing, e.g. executing the test 100(0) times
• tech debt/todo is accompanied by issue link(s) in comments in the surrounding code
• Tests are comprehensible, e.g. Ginkgo DSL is being used appropriately
• Docs updated or added to /doc
• Commit messages sensible and descriptive
• Tests marked as [FLAKE] are truly flaky and have an issue
• Code is properly formatted

Signed-off-by: Jordan [email protected]