Merge pull request #299 from cblecker/remove-scc-osde2e

openshift-merge-bot[bot] · web-flow · commit 631247e12dec · 2024-05-14T15:40:38.000Z
Remove osde2e exception from modifying SCCs
diff --git a/pkg/webhooks/scc/scc.go b/pkg/webhooks/scc/scc.go
@@ -3,7 +3,6 @@ package scc
 import (
 	"fmt"
 	"net/http"
-	"regexp"
 	"slices"
 
 	securityv1 "github.com/openshift/api/security/v1"
@@ -41,8 +40,8 @@ var (
 		"system:serviceaccount:openshift-cluster-version:default",
 		"system:admin",
 	}
-	allowedGroupsRe = regexp.MustCompile("^system:serviceaccounts:osde2e-(h-)?[a-z0-9]{5}")
-	defaultSCCs     = []string{
+	allowedGroups = []string{}
+	defaultSCCs   = []string{
 		"anyuid",
 		"hostaccess",
 		"hostmount-anyuid",
@@ -126,8 +125,8 @@ func isAllowedUserGroup(request admissionctl.Request) bool {
 		return true
 	}
 
-	for _, group := range request.UserInfo.Groups {
-		if allowedGroupsRe.Match([]byte(group)) {
+	for _, group := range allowedGroups {
+		if slices.Contains(request.UserInfo.Groups, group) {
 			return true
 		}
 	}
diff --git a/pkg/webhooks/scc/scc_test.go b/pkg/webhooks/scc/scc_test.go
@@ -79,7 +79,7 @@ func runSCCTests(t *testing.T, tests []sccTestSuites) {
 		}
 	}
 }
-func TestUserNegative(t *testing.T) {
+func TestUser(t *testing.T) {
 	tests := []sccTestSuites{
 		{
 			targetSCC:       "hostnetwork",
@@ -121,12 +121,6 @@ func TestUserNegative(t *testing.T) {
 			userGroups:      []string{"system:authenticated", "system:authenticated:oauth"},
 			shouldBeAllowed: false,
 		},
-	}
-	runSCCTests(t, tests)
-}
-
-func TestUserPositive(t *testing.T) {
-	tests := []sccTestSuites{
 		{
 			targetSCC:       "testscc",
 			testID:          "user-can-modify-normal",
@@ -169,11 +163,11 @@ func TestUserPositive(t *testing.T) {
 		},
 		{
 			targetSCC:       "privileged",
-			testID:          "osde2e-serviceaccounts-are-allowed",
+			testID:          "osde2e-serviceaccounts-are-not-allowed",
 			username:        "system:serviceaccount:osde2e-abcde:osde2e-runner",
 			operation:       admissionv1.Update,
 			userGroups:      []string{"system:authenticated", "system:serviceaccounts:osde2e-abcde"},
-			shouldBeAllowed: true,
+			shouldBeAllowed: false,
 		},
 	}
 	runSCCTests(t, tests)

Original file line number	Diff line number	Diff line change
`@@ -79,7 +79,7 @@ func runSCCTests(t *testing.T, tests []sccTestSuites) {`
`79`	`79`	`}`
`80`	`80`	`}`
`81`	`81`	`}`
`82`		`-func TestUserNegative(t *testing.T) {`
	`82`	`+func TestUser(t *testing.T) {`
`83`	`83`	`tests := []sccTestSuites{`
`84`	`84`	`{`
`85`	`85`	`targetSCC: "hostnetwork",`
`@@ -121,12 +121,6 @@ func TestUserNegative(t *testing.T) {`
`121`	`121`	`userGroups: []string{"system:authenticated", "system:authenticated:oauth"},`
`122`	`122`	`shouldBeAllowed: false,`
`123`	`123`	`},`
`124`		`- }`
`125`		`- runSCCTests(t, tests)`
`126`		`-}`
`127`		`-`
`128`		`-func TestUserPositive(t *testing.T) {`
`129`		`- tests := []sccTestSuites{`
`130`	`124`	`{`
`131`	`125`	`targetSCC: "testscc",`
`132`	`126`	`testID: "user-can-modify-normal",`
`@@ -169,11 +163,11 @@ func TestUserPositive(t *testing.T) {`
`169`	`163`	`},`
`170`	`164`	`{`
`171`	`165`	`targetSCC: "privileged",`
`172`		`- testID: "osde2e-serviceaccounts-are-allowed",`
	`166`	`+ testID: "osde2e-serviceaccounts-are-not-allowed",`
`173`	`167`	`username: "system:serviceaccount:osde2e-abcde:osde2e-runner",`
`174`	`168`	`operation: admissionv1.Update,`
`175`	`169`	`userGroups: []string{"system:authenticated", "system:serviceaccounts:osde2e-abcde"},`
`176`		`- shouldBeAllowed: true,`
	`170`	`+ shouldBeAllowed: false,`
`177`	`171`	`},`
`178`	`172`	`}`
`179`	`173`	`runSCCTests(t, tests)`