In multitenant environments, we cannot expect to have access to namespaces to derive valid UID/GIDs, so we'll need to take whatever OCP injects into the securityContext and work with that. The reason this works is that if no securityContext is provided by the user, OCP will create one with a valid runAsUser value that is in the expected range.
I could only test this together with the 2.5 operator (there's no 2.6 operator yet) which has different injection templates, but it seemed to work.
In multitenant environments, we cannot expect to have access to namespaces to derive valid UID/GIDs, so we'll need to take whatever OCP injects into the securityContext and work with that. The reason this works is that if no securityContext is provided by the user, OCP will create one with a valid
runAsUser
value that is in the expected range.I could only test this together with the 2.5 operator (there's no 2.6 operator yet) which has different injection templates, but it seemed to work.