fix: Prevent containers from running as root by removing unnecessary anyuid SCC bindings

[ugiordan]

Description

This PR addresses the security concern of containers running with root privileges by removing the following ServiceAccounts from default RoleBindings granting the anyuid SCC:

• Notebook
• ModelMesh
• ModelController
• Dashboard

These changes help ensure that containers run with non-root user privileges and comply with security policies. Additionally, this makes the default RoleBinding that assigns the default ServiceAccount to the anyuid SCC unnecessary:

> oc get rolebinding opendatahub -oyaml | yq 'del(.metadata)'
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:openshift:scc:anyuid
subjects:
  - kind: ServiceAccount
    name: default
    namespace: opendatahub

How Has This Been Tested?

Screenshot or short clip

Merge criteria

• You have read the contributors guide.
• Commit messages are meaningful - have a clear and concise summary and detailed explanation of what was changed and why.
• Pull Request contains a description of the solution, a link to the JIRA issue, and to any dependent or related Pull Request.
• Testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).
• The developer has manually tested the changes and verified that the changes work

[biswassri]

/test opendatahub-operator-e2e

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 19.88%. Comparing base (8865ea6) to head (8513444).
Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1460      +/-   ##
==========================================
- Coverage   19.90%   19.88%   -0.02%     
==========================================
  Files         161      160       -1     
  Lines       10833    10818      -15     
==========================================
- Hits         2156     2151       -5     
+ Misses       8448     8440       -8     
+ Partials      229      227       -2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[ugiordan]

/retest

[jiridanek]

I'm not following this in the entirety, but for Notebooks we really don't need to have anyuid scc, certainly not after https://issues.redhat.com/browse/RHOAIENG-72 got in, and IMO even before that we were good with any uid.

cc @opendatahub-io/notebook-devs for heads-up!

• RHOAIENG-72: Specify numeric UID in Dockerfiles kubeflow#348

[ugiordan]

/test opendatahub-operator-e2e

[ugiordan]

/uncc @Sara4994
/cc @lburgazzoli

[lburgazzoli]

is NewUpdatePodSecurityRoleBindingAction is not more in use, we can probably remove it

[lburgazzoli]

/lgtm

[ugiordan]

/retest

[lburgazzoli]

/test opendatahub-operator-e2e

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: lburgazzoli

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [lburgazzoli]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment