security: add annotation for validated SCC type

ibihim · ibihim · commit 09148e885d78 · 2025-02-27T09:18:19.000+01:00
An SCC is being assigned to a workload based on the capabilities the
ServiceAccount or user has. To distinct, against whom this was validated
against, this annotation is being introduced.
diff --git a/security/v1/consts.go b/security/v1/consts.go
@@ -13,4 +13,9 @@ const (
 
 	// MinimallySufficientPodSecurityStandard indicates the PodSecurityStandard that matched the SCCs available to the users of the namespace.
 	MinimallySufficientPodSecurityStandard = "security.openshift.io/MinimallySufficientPodSecurityStandard"
+
+	// ValidatedSCCSubjectTypeAnnotation indicates the subject type that allowed the
+	// SCC admission. This can be used by controllers to detect potential issues
+	// between user-driven SCC usage and the ServiceAccount-driven SCC usage.
+	ValidatedSCCSubjectTypeAnnotation = "security.openshift.io/validated-scc-subject-type"
 )

Original file line number	Diff line number	Diff line change
`@@ -13,4 +13,9 @@ const (`
`13`	`13`
`14`	`14`	`// MinimallySufficientPodSecurityStandard indicates the PodSecurityStandard that matched the SCCs available to the users of the namespace.`
`15`	`15`	`MinimallySufficientPodSecurityStandard = "security.openshift.io/MinimallySufficientPodSecurityStandard"`
	`16`	`+`
	`17`	`+ // ValidatedSCCSubjectTypeAnnotation indicates the subject type that allowed the`
	`18`	`+ // SCC admission. This can be used by controllers to detect potential issues`
	`19`	`+ // between user-driven SCC usage and the ServiceAccount-driven SCC usage.`
	`20`	`+ ValidatedSCCSubjectTypeAnnotation = "security.openshift.io/validated-scc-subject-type"`
`16`	`21`	`)`