When matched by a custom SCC, the CVO may run as the root user and doesn't drop capabilities

4.12

$ oc get pods -n openshift-cluster-version -o custom-columns=NAMESPACE:.metadata.namespace,POD_NAME:.metadata.name,SERVICE_ACCOUNT:.spec.serviceAccount,SCC_PROFILE:".metadata.annotations.openshift\.io/scc"
NAMESPACE                   POD_NAME                                    SERVICE_ACCOUNT   SCC_PROFILE
openshift-cluster-version   cluster-version-operator-5b7c5599c6-l5kqm   default           custom-pod-security-policy

$ oc get pods -n openshift-cluster-version cluster-version-operator-5b7c5599c6-l5kqm -o yaml | oc -n openshift-cluster-version policy scc-review -f -
RESOURCE                                        SERVICE ACCOUNT   ALLOWED BY                          
Pod/cluster-version-operator-5b7c5599c6-l5kqm   default           custom-pod-security-policy             
Pod/cluster-version-operator-5b7c5599c6-l5kqm   default           hostaccess                          
Pod/cluster-version-operator-5b7c5599c6-l5kqm   default           node-exporter                       
Pod/cluster-version-operator-5b7c5599c6-l5kqm   default           privileged 

$ oc get scc custom-pod-security-policy -o yaml
allowHostDirVolumePlugin: true
allowHostIPC: false
allowHostNetwork: true
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: true
allowedCapabilities:
- CHOWN
- KILL
- NET_ADMIN
- NET_BIND_SERVICE
- NET_RAW
- SETGID
- SETUID
- SYS_CHROOT
allowedUnsafeSysctls:
- net.ipv4.*
- net.ipv6.*
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
  type: RunAsAny
groups: []
kind: SecurityContextConstraints
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"allowHostDirVolumePlugin":true,"allowHostIPC":false,"allowHostNetwork":true,"allowHostPorts":false,"allowPrivilegeEscalation":true,"allowPrivilegedContainer":true,"allowedCapabilities":["CHOWN","KILL","NET_ADMIN","NET_BIND_SERVICE","NET_RAW","SETGID","SETUID","SYS_CHROOT"],"allowedUnsafeSysctls":["net.ipv4.*","net.ipv6.*"],"allowtostPID":false,"apiVersion":"security.openshift.io/v1","defaultAddCapabilities":null,"fsGroup":{"type":"RunAsAny"},"groups":[],"kind":"SecurityContextConstraints","metadata":{"annotations":{},"name":"custom-pod-security-policy"},"priority":8,"readOnlyRootFilesystem":false,"requiredDropCapabilities":null,"runAsUser":{"type":"RunAsAny"},"seLinuxContext":{"type":"MustRunAs"},"supplementalGroups":{"type":"RunAsAny"},"users":[],"volumes":["configMap","emptyDir","hostPath","persistentVolumeClaim","projected","secret"]}
  creationTimestamp: "2023-04-25T13:52:40Z"
  generation: 1
  name: custom-pod-security-policy
  resourceVersion: "23492572"
  uid: 9cf1a7c8-134f-4c82-9583-7ab9534eb935
priority: 8
readOnlyRootFilesystem: false
requiredDropCapabilities: null
runAsUser:
  type: RunAsAny
seLinuxContext:
  type: MustRunAs
supplementalGroups:
  type: RunAsAny
users: []
volumes:
- configMap
- emptyDir
- hostPath
- persistentVolumeClaim
- projected
- secret

$ oc rsh -n openshift-cluster-version cluster-version-operator-5b7c5599c6-l5kqm 
sh-4.4# id
uid=0(root) gid=0(root) groups=0(root)

$ oc get pods -n openshift-cluster-version -o custom-columns=POD_NAME:.metadata.name,SERVICE_ACCOUNT:.spec.serviceAccount,SCC_PROFILE:".metadata.annotations.openshift\.io/scc"
POD_NAME                                    SERVICE_ACCOUNT   SCC_PROFILE
cluster-version-operator-56f88c86df-c84zz   default           hostaccess
$ oc exec -it -n openshift-cluster-version cluster-version-operator-56f88c86df-c84zz -- id
uid=1000040000(1000040000) gid=0(root) groups=0(root),1000040000

    resources:                                                      resources:
      requests:                                                       requests:
        cpu: 20m                                                        cpu: 20m
        memory: 50Mi                                                    memory: 50Mi
    securityContext:                                          <
      capabilities:                                           <
        drop:                                                 <
        - KILL                                                <
        - MKNOD                                               <
        - SETGID                                              <
        - SETUID                                              <
      runAsNonRoot: true                                      <
      runAsUser: 1000040000                                   <
    terminationMessagePath: /dev/termination-log                    terminationMessagePath: /dev/termination-log
(...)
  restartPolicy: Always                                           restartPolicy: Always
  schedulerName: default-scheduler                                schedulerName: default-scheduler
  securityContext:                                                securityContext:
    fsGroup: 1000040000                                       <
    seLinuxOptions:                                                 seLinuxOptions:
      level: s0:c6,c5                                         |       level: s0:c6,c0

[akaris@linux scc-assignments]$ oc explain pod.spec.securityContext.runAsNonRoot
KIND:     Pod
VERSION:  v1

FIELD:    runAsNonRoot <boolean>

DESCRIPTION:
     Indicates that the container must run as a non-root user. If true, the
     Kubelet will validate the image at runtime to ensure that it does not run
     as UID 0 (root) and fail to start the container if it does. If unset or
     false, no such validation will be performed. May also be set in
     SecurityContext. If set in both SecurityContext and PodSecurityContext, the
     value specified in SecurityContext takes precedence.