@pradeep @cben To start, this is a ManageIQ forum so if you have CF specific questions I would suggest contacting Red Hat directly rather than coming here. Documentation links and beta releases may not be available to the entire community so they don’t really apply to this forum.
That said, the manageiq-pods project has many similar concerns, so I should be able to answer by explaining how things work there.
The images run using the
miq-anyuid service account (to which we assign the
anyuid scc) so they will run as root.
This is something we do want to tackle in the future, but it is not in the scope of the Gaprindashvili release.
As for the privileged SA, that’s only for the ansible pod used for the “embedded ansible” role.
We want to move toward using AWX for the embedded ansible role as we have for the ManageIQ appliance, but that work is also not scoped and likely won’t be tackled for this release.
If you don’t intend to use the embedded ansible functionality, then you don’t have to assign the privileged scc to the miq-privileged SA and the pod will just fail if the role is enabled.