Skip to content

scc: give all authenticated users access to restricted-v3 #1935

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

scc: give all authenticated users access to restricted-v3 #1935

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions ...nifests/0000_20_kube-apiserver-operator_00_crb-systemauthenticated-scc-restricted-v3.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
include.release.openshift.io/ibm-cloud-managed: "true"
include.release.openshift.io/self-managed-high-availability: "true"
include.release.openshift.io/single-node-developer: "true"
name: system:openshift:scc:restricted-v3
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:openshift:scc:restricted-v3
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:authenticated
Comment on lines +13 to +16
Copy link

@coderabbitai coderabbitai bot Oct 8, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

PR objective mismatch: unauthenticated group not granted.

Title/objective says to grant restricted-v3 to unauthenticated users, but the binding only targets system:authenticated. Add system:unauthenticated (or switch to it) to meet the objective. Safer: include both to avoid regressions.

Apply one of the following diffs.

Option A (add unauthenticated, keep authenticated):

 subjects:
 - apiGroup: rbac.authorization.k8s.io
   kind: Group
   name: system:authenticated
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: system:unauthenticated

Option B (if intent is only unauthenticated):

 subjects:
 - apiGroup: rbac.authorization.k8s.io
   kind: Group
-  name: system:authenticated
+  name: system:unauthenticated

Optional: If you choose Option A, consider renaming the file to drop “systemauthenticated” from the filename for clarity.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good catch robot. I am confused how restricted-v2 gets access to system:unauthenticated (I adapted this from the restricted-v2 one)

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Find all restricted-v2 ClusterRoleBinding manifests
echo "=== Finding restricted-v2 ClusterRoleBinding files ==="
fd -e yaml -e yml . bindata/bootkube/scc-manifests/ | xargs grep -l "restricted-v2" | head -20

echo -e "\n=== Examining restricted-v2 ClusterRoleBinding content ==="
fd -e yaml -e yml . bindata/bootkube/scc-manifests/ --exec grep -l "restricted-v2" | xargs cat

echo -e "\n=== Searching for any unauthenticated bindings to restricted SCCs ==="
rg -n "system:unauthenticated" bindata/bootkube/scc-manifests/

Length of output: 4967

🏁 Script executed:

#!/bin/bash
# Search entire repo for unauthenticated SCC bindings or related configuration
echo "=== Searching entire repo for system:unauthenticated references ==="
rg -n "system:unauthenticated" --type yaml

echo -e "\n=== Searching for restricted SCC with unauthenticated ==="
rg -n -B5 -A5 "restricted.*unauthenticated|unauthenticated.*restricted"

echo -e "\n=== Looking at PR description and related files ==="
# Check if there's a PR description file or related documentation
fd -e md README

echo -e "\n=== Checking for any default SCC assignments or documentation ==="
rg -n "default.*scc|scc.*default" --type md

echo -e "\n=== Looking for issue or enhancement references ==="
rg -n "OCPBUGS|JIRA|https://issues" bindata/bootkube/scc-manifests/

Length of output: 5193

🏁 Script executed:

#!/bin/bash
# Get PR description and details
gh pr view 1935 --json title,body,author,number

Length of output: 189

@haircommander You correctly adapted from restricted-v2! I found that the restricted-v2 ClusterRoleBinding also only grants access to system:authenticated:

# bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_crb-systemauthenticated-scc-restricted-v2.yaml
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:authenticated

So restricted-v2 does not grant unauthenticated users access either, based on the manifests in this repository.

Since your PR title says "give unauthenticated users access to restricted-v3", there's a mismatch:

  • PR objective: Grant access to unauthenticated users
  • Current implementation: Grants access to authenticated users only

To fix this, you'll need to decide:

  1. If the title is correct and you want unauthenticated users to have access, apply the bot's suggested Option A to add system:unauthenticated as an additional subject.
  2. If the title is incorrect and you only want authenticated users (matching restricted-v2), update the PR title to say "authenticated" instead of "unauthenticated".

Which approach matches your actual requirements?