From 94857995244afe0ddb35a616a612fb6870be5ef6 Mon Sep 17 00:00:00 2001
From: Ilias Rinis <irinis@redhat.com>
Date: Mon, 22 Jun 2026 13:29:07 +0200
Subject: [PATCH] Move required-scc annotation to pod template for
 machine-api-controllers

---
 pkg/operator/sync.go | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/pkg/operator/sync.go b/pkg/operator/sync.go
index 986f86d91..9471ca0b3 100644
--- a/pkg/operator/sync.go
+++ b/pkg/operator/sync.go
@@ -470,8 +470,7 @@ func newDeployment(config *OperatorConfig, features map[string]bool) *appsv1.Dep
 			Name:      "machine-api-controllers",
 			Namespace: config.TargetNamespace,
 			Annotations: map[string]string{
-				maoOwnedAnnotation:          "",
-				"openshift.io/required-scc": "restricted-v2",
+				maoOwnedAnnotation: "",
 			},
 			Labels: map[string]string{
 				"api":     "clusterapi",
@@ -619,9 +618,12 @@ func newPodTemplateSpec(config *OperatorConfig, features map[string]bool) *corev
 	}
 	volumes = append(volumes, newRBACConfigVolumes()...)
 
+	podAnnotations := maps.Clone(commonPodTemplateAnnotations)
+	podAnnotations["openshift.io/required-scc"] = "restricted-v2"
+
 	return &corev1.PodTemplateSpec{
 		ObjectMeta: metav1.ObjectMeta{
-			Annotations: commonPodTemplateAnnotations,
+			Annotations: podAnnotations,
 			Labels: map[string]string{
 				"api":     "clusterapi",
 				"k8s-app": "controller",