tests: avoid opting out from OCP/OKD podSecurityLabelSync

Avoid opting out from OCP/OKD podSecurityLabelSync

This was done there because the virt-controller auto labelling
mechanism is overlapping and fighting with the
Openshift Pod Security Admission Autolabeling.
So we were setting that at test suite level
assuming that the Kubevirt PSA FG was always
on when deploying on Openshift.

Now we revisited that decision and so HCO
is not going to enable the PSA FG on Kubevirt, see:
kubevirt/hyperconverged-cluster-operator#2136
kubevirt/hyperconverged-cluster-operator#2135
kubevirt/hyperconverged-cluster-operator#2134
kubevirt/hyperconverged-cluster-operator#2133

but at this point, if PSA is enabled on the cluster,
on Openshift we should rely on its default
Pod Security Admission Autolabeling,
and so always blindly setting
"security.openshift.io/scc.podSecurityLabelSync": "false"
at testsuite level appears as a bad idea.

Set also
pod-security.kubernetes.io/warn=privileged
on the namespaces where we set
pod-security.kubernetes.io/enforce=privileged
to get rid of warnings from those namespaces.

Signed-off-by: Simone Tiraboschi <[email protected]>

tests/testsuite/namespace.go

@@ -306,11 +306,11 @@ func detectInstallNamespace() {
 
 func GetLabelsForNamespace(namespace string) map[string]string {
 	labels := map[string]string{
-		cleanup.TestLabelForNamespace(namespace):         "",
-		"security.openshift.io/scc.podSecurityLabelSync": "false",
+		cleanup.TestLabelForNamespace(namespace): "",
 	}
 	if namespace == NamespacePrivileged {
 		labels["pod-security.kubernetes.io/enforce"] = "privileged"
+		labels["pod-security.kubernetes.io/warn"] = "privileged"
 	}
 
 	return labels