diff --git a/data/kube-secondary-dns/secondarydns.yaml b/data/kube-secondary-dns/secondarydns.yaml
index 9a931a522..50a183056 100644
--- a/data/kube-secondary-dns/secondarydns.yaml
+++ b/data/kube-secondary-dns/secondarydns.yaml
@@ -73,6 +73,7 @@ spec:
         k8s-app: secondary-dns
       annotations:
         kubectl.kubernetes.io/default-container: status-monitor
+        openshift.io/required-scc: "restricted-v2"
     spec:
       serviceAccountName: secondary
       securityContext:
diff --git a/data/kubemacpool/kubemacpool.yaml b/data/kubemacpool/kubemacpool.yaml
index b2ab4f564..13e181281 100644
--- a/data/kubemacpool/kubemacpool.yaml
+++ b/data/kubemacpool/kubemacpool.yaml
@@ -145,6 +145,8 @@ spec:
     type: Recreate
   template:
     metadata:
+      annotations:
+        openshift.io/required-scc: restricted-v2
       labels:
         app: kubemacpool
         control-plane: cert-manager
@@ -235,6 +237,7 @@ spec:
     metadata:
       annotations:
         description: KubeMacPool manages MAC allocation to Pods and VMs
+        openshift.io/required-scc: restricted-v2
       labels:
         app: kubemacpool
         control-plane: mac-controller-manager
diff --git a/data/kubevirt-ipam-controller/001-kubevirtipamcontroller.yaml b/data/kubevirt-ipam-controller/001-kubevirtipamcontroller.yaml
index a0ff11a2f..fed1950ac 100644
--- a/data/kubevirt-ipam-controller/001-kubevirtipamcontroller.yaml
+++ b/data/kubevirt-ipam-controller/001-kubevirtipamcontroller.yaml
@@ -172,6 +172,9 @@ spec:
     metadata:
       annotations:
         kubectl.kubernetes.io/default-container: manager
+{{ if .IsOpenshift }}
+        openshift.io/required-scc: "restricted-v2"
+{{ end }}
       labels:
         app: ipam-virt-workloads
         control-plane: manager
diff --git a/data/kubevirt-ipam-controller/003-passtbindingcni.yaml b/data/kubevirt-ipam-controller/003-passtbindingcni.yaml
index a4384d0fc..98131577b 100644
--- a/data/kubevirt-ipam-controller/003-passtbindingcni.yaml
+++ b/data/kubevirt-ipam-controller/003-passtbindingcni.yaml
@@ -23,6 +23,9 @@ spec:
         app: passt-binding-cni
       annotations:
         description: passt-binding-cni installs passt binding CNI on cluster nodes
+{{ if .EnableSCC }}
+        openshift.io/required-scc: "passt-binding-cni"
+{{ end }}
     spec:
       priorityClassName: system-cluster-critical
 {{ if .EnableSCC }}
diff --git a/data/linux-bridge/002-linux-bridge.yaml b/data/linux-bridge/002-linux-bridge.yaml
index c9bc7ca1c..e27555c72 100644
--- a/data/linux-bridge/002-linux-bridge.yaml
+++ b/data/linux-bridge/002-linux-bridge.yaml
@@ -22,6 +22,9 @@ spec:
         tier: node
         app: cni-plugins
       annotations:
+{{ if .EnableSCC }}
+        openshift.io/required-scc: "linux-bridge"
+{{ end }}
         description: LinuxBridge installs 'bridge' CNI on cluster nodes, so it can be later used to attach Pods/VMs to Linux bridges
     spec:
 {{ if .EnableSCC }}
diff --git a/data/linux-bridge/003-bridge-marker.yaml b/data/linux-bridge/003-bridge-marker.yaml
index b258b21ce..06a67c8a2 100644
--- a/data/linux-bridge/003-bridge-marker.yaml
+++ b/data/linux-bridge/003-bridge-marker.yaml
@@ -23,6 +23,7 @@ spec:
         name: bridge-marker
       annotations:
         description: Bridge marker exposes network bridges available on nodes as node resources
+        openshift.io/required-scc: "bridge-marker"
     spec:
       serviceAccountName: bridge-marker
       hostNetwork: true
diff --git a/hack/components/bump-bridge-marker.sh b/hack/components/bump-bridge-marker.sh
index 05bcb3104..7d2a8f79a 100755
--- a/hack/components/bump-bridge-marker.sh
+++ b/hack/components/bump-bridge-marker.sh
@@ -24,6 +24,7 @@ function __parametize_by_object() {
 				yaml-utils::update_param ${f} spec.template.spec.containers[0].imagePullPolicy  '{{ .ImagePullPolicy }}'
 				yaml-utils::update_param ${f} spec.template.spec.nodeSelector '{{ toYaml .Placement.NodeSelector | nindent 8 }}'
 				yaml-utils::set_param ${f} spec.template.spec.affinity '{{ toYaml .Placement.Affinity | nindent 8 }}'
+				yaml-utils::set_param ${f} 'spec.template.metadata.annotations."openshift.io/required-scc"' '"bridge-marker"'
 				yaml-utils::update_param ${f} spec.template.spec.tolerations '{{ toYaml .Placement.Tolerations | nindent 8 }}'
 				yaml-utils::remove_single_quotes_from_yaml ${f}
 				;;
diff --git a/hack/components/bump-kube-secondary-dns.sh b/hack/components/bump-kube-secondary-dns.sh
index 08ed49f74..a901da93e 100755
--- a/hack/components/bump-kube-secondary-dns.sh
+++ b/hack/components/bump-kube-secondary-dns.sh
@@ -34,6 +34,7 @@ function __parametize_by_object() {
         yaml-utils::set_param ${f} spec.template.spec.nodeSelector '{{ toYaml .Placement.NodeSelector | nindent 8 }}'
         yaml-utils::set_param ${f} spec.template.spec.affinity '{{ toYaml .Placement.Affinity | nindent 8 }}'
         yaml-utils::set_param ${f} spec.template.spec.tolerations '{{ toYaml .Placement.Tolerations | nindent 8 }}'
+        yaml-utils::set_param ${f} 'spec.template.metadata.annotations."openshift.io/required-scc"' '"restricted-v2"'
         yaml-utils::remove_single_quotes_from_yaml ${f}
         ;;
       ./ServiceAccount_secondary.yaml)
diff --git a/hack/components/bump-kubemacpool.sh b/hack/components/bump-kubemacpool.sh
index 0c7fe864e..df82f9b42 100755
--- a/hack/components/bump-kubemacpool.sh
+++ b/hack/components/bump-kubemacpool.sh
@@ -69,6 +69,9 @@ metadata:
   namespace: system
 spec:
   template:
+    metadata:
+      annotations:
+        openshift.io/required-scc: "restricted-v2"
     spec:
       containers:
       - image: "{{ .KubeMacPoolImage }}"
@@ -95,6 +98,9 @@ metadata:
   namespace: system
 spec:
   template:
+    metadata:
+      annotations:
+        openshift.io/required-scc: "restricted-v2"
     spec:
       containers:
       - image: "{{ .KubeMacPoolImage }}"
diff --git a/hack/components/bump-kubevirt-ipam-controller.sh b/hack/components/bump-kubevirt-ipam-controller.sh
index 09a249205..2c7e93bfc 100755
--- a/hack/components/bump-kubevirt-ipam-controller.sh
+++ b/hack/components/bump-kubevirt-ipam-controller.sh
@@ -125,6 +125,10 @@ echo 'Adjust kubevirt-ipam-controller to CNAO'
     service.beta.openshift.io/serving-cert-secret-name: kubevirt-ipam-controller-webhook-service\
 {{ end }}' Service_kubevirt-ipam-controller-webhook-service.yaml
 
+  sed -i '/        kubectl.kubernetes.io\/default-container: manager/a\{{ if .IsOpenshift }}\
+        openshift.io/required-scc: "restricted-v2"\
+{{ end }}' Deployment_kubevirt-ipam-controller-manager.yaml
+
   echo 'rejoin sub-manifests to a final manifest'
   cat Namespace_kubevirt-ipam-controller-system.yaml \
       ServiceAccount_kubevirt-ipam-controller-manager.yaml \
@@ -144,6 +148,10 @@ echo 'Adjust kubevirt-ipam-controller to CNAO'
   sed -i '/containers:/i\{{ if .EnableSCC }}\
       serviceAccountName: passt-binding-cni\
 {{ end }}' 003-passtbindingcni.yaml
+
+  sed -i '/        description: passt-binding-cni installs passt binding CNI on cluster nodes/a\{{ if .EnableSCC }}\
+        openshift.io/required-scc: "passt-binding-cni"\
+{{ end }}' 003-passtbindingcni.yaml
 )
 
 echo 'Copy manifests'