Even though the ClusterTasks use `pipelines-scc` (which is very close to anyuid) via pipeline SA, there is no guarantee that the TaskRuns will not be run as root unless a USER is defined in the relevant Dockerfiles.

This is explained in detail by cboudjna@redhat.com at https://blog.chmouel.com/2022/01/25/user-namespaces-with-buildah-and-openshift-pipelines/ and https://blog.chmouel.com/2022/03/07/running-tasks-as-non-root-on-openshift-pipelines/

One side effect of this SCC is that any images running on Openshift Cluster, unless the container image has a "USER $user" in its dockerfile will run as root. So even standard tasks like the "git-clone" tasks end up checking out code as root when it really doesn't need to.

This needs to be fixed in 2 ways:

• We need to update the Dockerfiles (that we control) for affected ClusterTasks to declare `USER`, e.g. tkn and git-clone
• Use securityContext to disallow running as root in the ClusterTasks themselves, see https://tekton.dev/docs/pipelines/tasks/#running-step-containers-as-a-non-root-user