scc: give all authenticated users access to restricted-v3

[haircommander]

No description provided.

[coderabbitai]

Walkthrough

Adds a new Kubernetes RBAC manifest that creates a ClusterRoleBinding named system:openshift:scc:restricted-v3 binding ClusterRole system:openshift:scc:restricted-v3 to the Group system:authenticated, with three metadata annotations.

Changes

Cohort / File(s)	Summary of modifications
RBAC manifest addition bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_crb-systemauthenticated-scc-restricted-v3.yaml	Added a ClusterRoleBinding (apiVersion rbac.authorization.k8s.io/v1) binding ClusterRole system:openshift:scc:restricted-v3 to Group system:authenticated; added three metadata annotations (release/HA/single-node developer statuses).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description Check	❓ Inconclusive	No description was provided in the pull request, leaving the reader without any context about the change which makes it impossible to assess relevance or details of the update.	Please add a brief description summarizing the change and its intent so reviewers can quickly understand the purpose of this update.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title succinctly describes the primary change by stating that the restricted-v3 SCC is now granted to all authenticated users, which directly matches the added ClusterRoleBinding targeting system:authenticated. It is concise, focuses on the main change, and avoids unnecessary details.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 48978cc and 721c337.

📒 Files selected for processing (1)

• bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_crb-systemauthenticated-scc-restricted-v3.yaml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_crb-systemauthenticated-scc-restricted-v3.yaml

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: haircommander
Once this PR has been reviewed and has the lgtm label, please assign benluddy for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between d0c3849 and 48978cc.

📒 Files selected for processing (1)

• bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_crb-systemauthenticated-scc-restricted-v3.yaml (1 hunks)

🔇 Additional comments (1)

bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_crb-systemauthenticated-scc-restricted-v3.yaml (1)

8-12: ClusterRole existence and unique binding verified – system:openshift:scc:restricted-v3 is defined and only referenced by a single ClusterRoleBinding; no duplicates found.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

PR objective mismatch: unauthenticated group not granted.

Title/objective says to grant restricted-v3 to unauthenticated users, but the binding only targets system:authenticated. Add system:unauthenticated (or switch to it) to meet the objective. Safer: include both to avoid regressions.

Apply one of the following diffs.

Option A (add unauthenticated, keep authenticated):

 subjects:
 - apiGroup: rbac.authorization.k8s.io
   kind: Group
   name: system:authenticated
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: system:unauthenticated

Option B (if intent is only unauthenticated):

 subjects:
 - apiGroup: rbac.authorization.k8s.io
   kind: Group
-  name: system:authenticated
+  name: system:unauthenticated

Optional: If you choose Option A, consider renaming the file to drop “systemauthenticated” from the filename for clarity.

[haircommander]

good catch robot. I am confused how restricted-v2 gets access to system:unauthenticated (I adapted this from the restricted-v2 one)

[coderabbitai]

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Find all restricted-v2 ClusterRoleBinding manifests
echo "=== Finding restricted-v2 ClusterRoleBinding files ==="
fd -e yaml -e yml . bindata/bootkube/scc-manifests/ | xargs grep -l "restricted-v2" | head -20

echo -e "\n=== Examining restricted-v2 ClusterRoleBinding content ==="
fd -e yaml -e yml . bindata/bootkube/scc-manifests/ --exec grep -l "restricted-v2" | xargs cat

echo -e "\n=== Searching for any unauthenticated bindings to restricted SCCs ==="
rg -n "system:unauthenticated" bindata/bootkube/scc-manifests/

Length of output: 4967

---

🏁 Script executed:

#!/bin/bash
# Search entire repo for unauthenticated SCC bindings or related configuration
echo "=== Searching entire repo for system:unauthenticated references ==="
rg -n "system:unauthenticated" --type yaml

echo -e "\n=== Searching for restricted SCC with unauthenticated ==="
rg -n -B5 -A5 "restricted.*unauthenticated|unauthenticated.*restricted"

echo -e "\n=== Looking at PR description and related files ==="
# Check if there's a PR description file or related documentation
fd -e md README

echo -e "\n=== Checking for any default SCC assignments or documentation ==="
rg -n "default.*scc|scc.*default" --type md

echo -e "\n=== Looking for issue or enhancement references ==="
rg -n "OCPBUGS|JIRA|https://issues" bindata/bootkube/scc-manifests/

Length of output: 5193

---

🏁 Script executed:

#!/bin/bash
# Get PR description and details
gh pr view 1935 --json title,body,author,number

Length of output: 189

---

@haircommander You correctly adapted from restricted-v2! I found that the restricted-v2 ClusterRoleBinding also only grants access to system:authenticated:

# bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_crb-systemauthenticated-scc-restricted-v2.yaml
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:authenticated

So restricted-v2 does not grant unauthenticated users access either, based on the manifests in this repository.

Since your PR title says "give unauthenticated users access to restricted-v3", there's a mismatch:

• PR objective: Grant access to unauthenticated users
• Current implementation: Grants access to authenticated users only

To fix this, you'll need to decide:

1. If the title is correct and you want unauthenticated users to have access, apply the bot's suggested Option A to add system:unauthenticated as an additional subject.
2. If the title is incorrect and you only want authenticated users (matching restricted-v2), update the PR title to say "authenticated" instead of "unauthenticated".

Which approach matches your actual requirements?

[haircommander]

/hold

I'm trying to figure out how unauthenticated users get access to restricted-v2

[tchap]

I'm trying to figure out how unauthenticated users get access to restricted-v2

From what I understand, it's available to all authenticated users? At least that's mentioned in the docs.

[haircommander]

🤦 right that's what we want

/unhold

this is ready, sorry for the noise

[openshift-ci]

@haircommander: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-ovn	721c337	link	true	/test e2e-aws-ovn
ci/prow/okd-scos-e2e-aws-ovn	721c337	link	false	/test okd-scos-e2e-aws-ovn

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.