Merge pull request #2211 from ibihim/ibihim/2025-02-25_validated-scc-type-annotation

openshift-merge-bot[bot] · web-flow · commit f587fb60f627 · 2025-03-03T10:48:11.000Z
security: add annotation for validated SCC type
diff --git a/security/v1/consts.go b/security/v1/consts.go
@@ -13,4 +13,9 @@ const (
 
 	// MinimallySufficientPodSecurityStandard indicates the PodSecurityStandard that matched the SCCs available to the users of the namespace.
 	MinimallySufficientPodSecurityStandard = "security.openshift.io/MinimallySufficientPodSecurityStandard"
+
+	// ValidatedSCCSubjectTypeAnnotation indicates the subject type that allowed the
+	// SCC admission. This can be used by controllers to detect potential issues
+	// between user-driven SCC usage and the ServiceAccount-driven SCC usage.
+	ValidatedSCCSubjectTypeAnnotation = "security.openshift.io/validated-scc-subject-type"
 )

Original file line number	Diff line number	Diff line change
`@@ -13,4 +13,9 @@ const (`
`13`	`13`
`14`	`14`	`// MinimallySufficientPodSecurityStandard indicates the PodSecurityStandard that matched the SCCs available to the users of the namespace.`
`15`	`15`	`MinimallySufficientPodSecurityStandard = "security.openshift.io/MinimallySufficientPodSecurityStandard"`
	`16`	`+`
	`17`	`+ // ValidatedSCCSubjectTypeAnnotation indicates the subject type that allowed the`
	`18`	`+ // SCC admission. This can be used by controllers to detect potential issues`
	`19`	`+ // between user-driven SCC usage and the ServiceAccount-driven SCC usage.`
	`20`	`+ ValidatedSCCSubjectTypeAnnotation = "security.openshift.io/validated-scc-subject-type"`
`16`	`21`	`)`