Privileged namespaces are blocked by webhook.  The list is (as of right now in 'master' branch):
https://github.com/openshift/managed-cluster-validating-webhooks/blob/master/pkg/config/namespaces.go#L11-L120
 
And is documented here: https://docs.openshift.com/rosa/sd_support/rosa-managed-resources.html#rosa-managed-resources-all
 
That being said, it's exactly these kinds of namespace requirements that have forced this nuance in what namespaces are blocked instead of relying on some regex.  There is a strong preference to not rely on a specific namespace for installation, instead support running in any namespace, so that customer has flexibility on how an operator is deployed.
 
-------------------------------------
old

Hello,

From the SRE organization, we would like to be able to use CMA on OpenShift Dedicated / ROSA.

slack thread: https://redhat-internal.slack.com/archives/C02F1J9UJJD/p1681910687628799

We are reluctant to use the openshift-keda installation method since it doesn't scale if every operator out there should be installed in it's own namespace. in OSD/ROSA, cluster admins are prevented from creating `openshift-` namespaces.

We would prefer to have a working installation via the openshift-operators namespace.

Such an installation currently fails with the following error:

container has runAsNonRoot and image has non-numeric user (nobody), cannot verify user is non-root