CNTRLPLANE-1544: scc: Grant authenticated users use of restricted-v3

[tchap]

Taking over #1935

There is a missing ClusterRoleBinding that should have been added with restricted-v3.

Related tests change: openshift/origin#30384

[openshift-ci-robot]

@tchap: This pull request references CNTRLPLANE-1544 which is a valid jira issue.

In response to this:

Taking over #1935

Related tests change: openshift/origin#30384

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

Adds a new Kubernetes manifest file that creates a ClusterRoleBinding resource named system:openshift:scc:restricted-v3. The binding grants the restricted-v3 SCC ClusterRole to all authenticated subjects cluster-wide via RBAC configuration.

Changes

Cohort / File(s)	Summary
New SCC RBAC Manifest bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_crb-systemauthenticated-scc-restricted-v3.yaml	Adds ClusterRoleBinding resource (rbac.authorization.k8s.io/v1) assigning the system:openshift:scc:restricted-v3 ClusterRole to the system:authenticated group with management annotations.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The pull request title "scc: Grant authenticated users use of restricted-v3" is fully aligned with the changeset, which adds a new Kubernetes ClusterRoleBinding that assigns the restricted-v3 SCC (Security Context Constraint) role to the system:authenticated group. The title is concise, specific, and clearly conveys the primary change—granting authenticated users access to the restricted-v3 SCC. The Jira ticket reference (CNTRLPLANE-1544) adds additional context without hindering clarity.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.
Description Check	✅ Passed	The pull request description provided by the author directly relates to the changeset. The description explicitly states that "There is a missing ClusterRoleBinding that should have been added with restricted-v3," which accurately describes what the changeset accomplishes—adding a new ClusterRoleBinding manifest file for the restricted-v3 SCC. The description provides clear context about the purpose of the change and references related work, making it meaningful and relevant to the modifications in the pull request. The description is not vague or generic; it specifically identifies what was missing and what the change adds.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

@tchap: This PR was included in a payload test run from openshift/origin#30384
trigger 1 job(s) of type informing for the ci release of OCP 4.21

• periodic-ci-openshift-release-master-ci-4.21-upgrade-from-stable-4.20-e2e-aws-ovn-upgrade

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/24061e10-adb2-11f0-8048-2ac9649c922f-0

[openshift-ci]

@tchap: it appears that you have attempted to use some version of the payload command, but your comment was incorrectly formatted and cannot be acted upon. See the docs for usage info.

[openshift-ci]

@tchap: it appears that you have attempted to use some version of the payload command, but your comment was incorrectly formatted and cannot be acted upon. See the docs for usage info.

[openshift-ci]

@tchap: This PR was included in a payload test run from openshift/origin#30384
trigger 1 job(s) of type informing for the ci release of OCP 4.21

• periodic-ci-openshift-release-master-ci-4.21-upgrade-from-stable-4.20-e2e-aws-ovn-upgrade

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/d5531060-adb2-11f0-8c60-96d33e520b72-0

[openshift-ci]

@tchap: This PR was included in a payload test run from openshift/origin#30384
trigger 1 job(s) of type informing for the ci release of OCP 4.21

• periodic-ci-openshift-release-master-ci-4.21-upgrade-from-stable-4.20-e2e-aws-ovn-upgrade

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/17c162d0-ae03-11f0-8b46-bf0a49a21fb2-0

[tchap]

/retest

[tchap]

/retest

[tchap]

/test e2e-gcp-operator

[openshift-ci]

@tchap: This PR was included in a payload test run from openshift/origin#30384
trigger 1 job(s) of type informing for the ci release of OCP 4.21

• periodic-ci-openshift-release-master-ci-4.21-upgrade-from-stable-4.20-e2e-aws-ovn-upgrade

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/d96286a0-ae8d-11f0-83d9-75f13b671dcf-0

[tchap]

/test e2e-aws-ovn

[openshift-ci-robot]

@tchap: This pull request references CNTRLPLANE-1544 which is a valid jira issue.

In response to this:

Taking over #1935

There is a missing ClusterRoleBinding that should have been added with restricted-v3.

Related tests change: openshift/origin#30384

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@tchap: This pull request references CNTRLPLANE-1544 which is a valid jira issue.

In response to this:

Taking over #1935

There is a missing ClusterRoleBinding that should have been added with restricted-v3.

Related tests change: openshift/origin#30384

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[ropatil010]

/retest

[tchap]

/payload-with-prs 4.21 ci informing openshift/origin#30384

[openshift-ci]

@tchap: trigger 1 job(s) of type informing for the ci release of OCP 4.21

• periodic-ci-openshift-release-master-ci-4.21-upgrade-from-stable-4.20-e2e-aws-ovn-upgrade

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/b2df3500-af37-11f0-812a-d5b1ae1849ed-0

[tchap]

/retest

[tchap]

/verified by "[sig-auth][Feature:OpenShiftAuthorization] The default cluster RBAC policy should have correct RBAC rules"

[openshift-ci-robot]

@tchap: This PR has been marked as verified by "[sig-auth][Feature:OpenShiftAuthorization] The default cluster RBAC policy should have correct RBAC rules".

In response to this:

/verified by "[sig-auth][Feature:OpenShiftAuthorization] The default cluster RBAC policy should have correct RBAC rules"

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[benluddy]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: benluddy, tchap

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [benluddy]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[tchap]

@haircommander Do we want to cherry-pick this to 4.20?

[haircommander]

Yeah I think so!
/cherry-pick release-4.20

[openshift-cherrypick-robot]

@haircommander: once the present PR merges, I will cherry-pick it on top of release-4.20 in a new PR and assign it to you.

In response to this:

Yeah I think so!
/cherry-pick release-4.20

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

@tchap: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/okd-scos-e2e-aws-ovn	3d6b08b	link	false	/test okd-scos-e2e-aws-ovn

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[tchap]

@haircommander I guess we will also need to cherry-pick the test update in origin? See the PR description.

[openshift-cherrypick-robot]

@haircommander: new pull request created: #1950

In response to this:

Yeah I think so!
/cherry-pick release-4.20

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.