When trying to fix this issue for service-ca operator and controller, some dependency loops were identified that prevent the removal of the run-level label from the operator's and operand's namespaces. Originally, it was observed that the DNS operator has a compulsory mount of the serving certificate provided by the service-ca controller. This prevented etcd from running, which in turn caused failures of the kube-apiserver deployment after bootstrap, which caused the cluster-policy-controller (which is not a part of the bootstrap control plane) to fail to connect to API (it connects to localhost and thus won't use the bootrap-control-plane kube-apiserver). This was fixed by removing the etcd dependency on DNS in https://github.com/openshift/cluster-etcd-operator/pull/233. The cluster-policy-controller is unfortunately still dependent on the openshift-apiserver which provides rangeallocations.security.openshift.io resources needed by the namespace-security-allocation-controller (part of cluster-policy-controller). Without the namespace-security-allocation-controller running and annotating the namespaces with annotations needed for SCC admission, the service-ca operator and controller cannot run with any other SCC than privileged, which would be a poor fix to the issue. Note that the openshift-apiserver can't run without service-ca already running, which is creating yet another dependency loop. A solution to the problem would be to move the rangeallocations.security.openshift.io resource group to CRD so that the controller can work even before openshift-apiserver starts, allowing any payload to use a proper SCC. I don't think the move to CRDs would be wise at this point of development phase of 4.4.
Reopened and moved to 4.5.
No progress in 4.5 about this (mirroring changes to the operator bug: https://bugzilla.redhat.com/show_bug.cgi?id=1806917#c3)
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:5633