The OpenShift API dictates that a workload should require an SCC by using the `required-scc` annotation: https://docs.openshift.com/container-platform/4.17/authentication/managing-security-context-constraints.html#security-context-constraints-requiring_configuring-internal-oauth

`required-scc` prevents customers (or other extension provided) SCCs from being auto-selected by pods.  The auto selection can fail in multiple ways: not enough permissions, changes of UID. When combined with pod security admission (on in new clusters in 4.19), this can result in SCCs being selected based on RBAC permissions that violate PSA and results in pods not running. This is critical in the 4.19 development cycle.

This is failing the OpenShift conformance tests, as shown in this [execution|https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_release/59472/rehearse-59472-periodic-ci-openshift-ovn-kubernetes-release-4.19-periodics-e2e-aws-ovn-virt-techpreview-periodic/1864002712811606016.]

All CNV workloads must start using it.