With the release of Quay 3.3 it's now possible to install Quay without any special permissions aside from what's normally allocated by system:authenticated role. The OpenShift user will have to request extra memory be allocated to their project in most cases as the default memory limit is 1Gi. However once that is complete no extra RBAC, or SCC permissions need to be granted.

A few things need to be change in the openshift install documentation to reflect this:

• Remove the 'put', 'patch', and 'update' permissions on secrets in the quay-enterprise-service-account role
• Don't add anyuserid SCC to default service account

Because secrets cannot be modified the config pod will not be able to automatically update the quay-enterprise-config-secret with the configuration but it can be downloaded and then added manually instead.

Also, we should add memory requests and limits to the replication controller configuration for the quay-enterprise-app so that it doesn't try to start with the default memory limit of 1Gi.