I believe this issue is caused by USER set in our Dockerfiles.

posted PR fix: https://github.com/kubevirt/cluster-network-addons-operator/pull/413

I have to bring this back to ASSIGNED. This indeed fixed the issue with SCC, but caused many others where we are unable to deploy operands. See https://bugzilla.redhat.com/show_bug.cgi?id=1844057

posted new PR fix: https://github.com/kubevirt/cluster-network-addons-operator/pull/419

I am embarrassed but we have to move this back to dev again.

Kedar, we may need to move this to 2.5 unless you suggest it should be a blocker.

You see, we made a several attempts to drop it, but every time we did, we failed on D/S with some missing rights. It needs careful consideration and I'm afraid we don't have enough time now.

Are you ok with this being moved to 2.5? I know you'll have to adjust some tests, sorry about that.

After an upgrade (2.5.3 -> 2.6.0), the scc annotation was changed to anyuid.

[cloud-user@ocp-psi-executor ~]$ oc get pods -n openshift-cnv vm-import-controller-5588f6cd98-dcnxv -oyaml |grep scc
    openshift.io/scc: anyuid

[cloud-user@ocp-psi-executor ~]$ oc get ip -n openshift-cnv
NAME            CSV                                       APPROVAL   APPROVED
install-8v9dh   kubevirt-hyperconverged-operator.v2.5.3   Manual     true
install-cjcmx   kubevirt-hyperconverged-operator.v2.6.0   Manual     true
[cloud-user@ocp-psi-executor ~]$ 

In 2.5:
oc get pod -n openshift-cnv vm-import-controller-74d785b999-7vnl2 -oyaml|grep scc
    openshift.io/scc: restricted

Please disregard my last comment regarding upgrade. Not related to this entry.

As per comment7, dropping needinfo.

Since components we deploy need access to host network and be able to write to host filesystem, we cannot make CNAO restricted. I'm closing this. If anybody has a specific reason why we should avoid anyuid and replace it with an explicit SCC as done for e.g. bridge-marker, feel free to reopen the case.