Red Hat OpenShift GitLab Runner Operator not using the correct SCC for pods

Summary

In Red Hat OpenShift with GitLab Runner. The SCC for the created pods is set to restricted, although the service account has the anyuid SCC assigned.

This is the current setup:

Gitlab Runner is installed in namespace "gitlab-runner-operator" and is configured as follows

runner-cm.yml

kind: ConfigMap
apiVersion: v1
metadata:
  name: gitlab-dev-runner-config
data:
  config.toml: |
    [[runners]]
      [runners.kubernetes]
        namespace_overwrite_allowed = ".*"
        service_account_overwrite_allowed = ".*"
        privileged = true
        image_pull_secrets = ["..."]
        cpu_request = "100m"
        pull_policy = "always"
        serviceaccount = "gitlab-runner-sa"

runner-env-cm.yml

kind: ConfigMap
apiVersion: v1
metadata:
  name: gitlab-dev-runner-env-config
data:
  FF_GITLAB_REGISTRY_HELPER_IMAGE: "1"

runner.yml

apiVersion: apps.gitlab.com/v1beta2
kind: Runner
metadata:
  name: openshift-logic-gitlab-dev
spec:
  ca: custom-tls-ca
  concurrent: 10
  config: gitlab-dev-runner-config
  env: gitlab-dev-runner-env-config
  interval: 0
  gitlabUrl: https://gitlab-dev.cslg1.cslg.net
  tags: openshift4-dev
  token: gitlab-dev-runner-secret

They use the namespace and service_account overwrite function.

In the .gitlab-ci.yml

KUBERNETES_NAMESPACE_OVERWRITE: logic
KUBERNETES_SERVICE_ACCOUNT_OVERWRITE: logic-gitlab-runner-sa

The anyuid SCC is assigned correctly, by running a pod manually with the service account and checking the openshift.io/scc annotation:

...
  annotations:
    openshift.io/scc: anyuid
...

What is the current bug behavior?

The service account should be used with the correct annotations but this doesn't seem to be the case.

What is the expected correct behavior?

That the service account has the correct annotations and has permissions to use anyuid.

Possible fixes

Having the correct annotations applied to the service account.