What is the nature and description of the request?
The customer is deploying Ansible Automation Platform (AAP 2.6) via the AAP Operator on OpenShift 4.18.
Currently, AAP task pods (Container Groups) default to hostUsers: true. Initial testing suggests that forcing hostUsers: false via a custom Security Context Constraint (SCC) causes admission controller conflicts or permission errors within the pod, as the Operator expects a 1:1 mapping with the host’s user namespace for volume mounts and internal process execution.
The customer requests that the AAP Operator allow task pods to be scheduled with hostUsers: false and correctly map UIDs/GIDs so that project data and execution environments function without permission denied errors.
Why does the customer need this? (List the business requirements here)
Security Mandate: The customer has a strict security mandate requiring all containerized workloads to leverage Linux User Namespaces via SCC and Pod Security Admission (PSA) policies.
Compliance: They are unable to run workloads that require the container processes to run as the host user namespace.
How would you like to achieve this? (List the functional requirements here)
Operator Support: The AAP Operator must support configurations where hostUsers is set to false in the Pod specification.
Permission Handling: The system must correctly handle UID/GID mapping between the container and the host storage so that Execution Environments (EE) can access volume mounts without requiring privileged access or host namespace usage.
List any affected known dependencies: Doc, UI etc..
Documentation: Updates required regarding supported SCC configurations and Pod Security Standards.
Feature Request
Undefined
