fix(manifests): Revert PSS changes in manifests

[rimolive]

Description of your changes:
The changes introduced in #11462 broke manifests deployment in OpenShift environments. We need a more coordinated effort to add these PSS requirements as other WGs are requesting.

cc @HumairAK @juliusvonkohout

Checklist:

• You have signed off your commits
• The title for your pull request (PR) should follow our title convention. Learn more about the pull request title convention used in this repository.

[google-oss-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign zijianjoy for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• manifests/kustomize/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[juliusvonkohout]

@rimolive is that not a distribution specific thing, so openshift only and not Kubernetes in general? I ran Kubeflow on openshift before and it is possible to do it rootless. We are really following Kubernetes best practices here according to https://kubernetes.io/docs/concepts/security/pod-security-standards/. So I propose to not revert it, but rather that you post the error message here and we try to fix it for openshift.
Maybe we can keep 95%. I think the effort is coordinated, because it is mostly kubeflow/pipelines and kubeflow/manifests. We have it as a PoC from gsoc for a few months.

[juliusvonkohout]

@rimolive if there are confidential manifests involved we can also do a private session.

[rimolive]

@juliusvonkohout There are no confidential information involved, no worries! I'm talking specifically about the runAs* attributes that broke OpenShift. That's because we make use of random UIDs and setting these values explicitly is not allowed. I can't speak of the other changes, but I also reviewed the PSS requirements and I noticed that it is allowed to not set any of these runAs* values. For now, I'll plan to revert only this and see if the rest keeps working in OpenShift I'll make the proper changes.

/hold

[juliusvonkohout]

@juliusvonkohout There are no confidential information involved, no worries! I'm talking specifically about the runAs* attributes that broke OpenShift. That's because we make use of random UIDs and setting these values explicitly is not allowed. I can't speak of the other changes, but I also reviewed the PSS requirements and I noticed that it is allowed to not set any of these runAs* values. For now, I'll plan to revert only this and see if the rest keeps working in OpenShift I'll make the proper changes.

/hold

Can you just comment out the runas with a hashtag to #runAs...? This way we keep all information for later. It could be that we need to modify some dockerfiles to support runasanyuser, if not even better :-)