NO-JIRA: fix: add pod annotation: openshift.io/required-scc: hostaccess

[damdo]

The openshift.io/required-scc: hostaccess annotation should be set on
pods as required by the requiredSCCAnnotationChecker

more info on scc:

• https://github.com/openshift/openshift-docs/blob/72420d78d324c3088372ec7c508d933864181336/modules/security-context-constraints-requiring.adoc#L26
• https://docs.redhat.com/en/documentation/openshift_container_platform/4.21/html/authentication_and_authorization/managing-pod-security-policies#security-context-constraints-about_configuring-internal-oauth

Summary by CodeRabbit

• Chores
  • Pod security constraint updated so scheduled pods now require the host-access SCC.
  • Operator granted the necessary binding to use the host-access SCC.
  • TLS secret mounting remains optional; no runtime behavior change.
  • Minor formatting cleanup (trailing newline) to manifest files.

[openshift-ci-robot]

@damdo: This pull request explicitly references no jira issue.

Details

In response to this:

The openshift.io/required-scc: restricted-v2 annotation should be set on
pods as required by the requiredSCCAnnotationChecker

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 6b41fff7-add1-4991-880e-620da1610b0e

📥 Commits

Reviewing files that changed from the base of the PR and between 7c4b24a and cd12828.

📒 Files selected for processing (2)

• manifests/0000_26_cloud-controller-manager-operator_02_rbac_operator.yaml
• manifests/0000_26_cloud-controller-manager-operator_11_deployment.yaml

---

Walkthrough

Added pod annotation openshift.io/required-scc: hostaccess to the cloud-controller-manager-operator Deployment template; preserved TLS secret volume optional: true and normalized EOF newline. Added a new ClusterRoleBinding that binds the operator ServiceAccount to system:openshift:scc:hostaccess.

Changes

Cohort / File(s)	Summary
Pod Security Annotation manifests/0000_26_cloud-controller-manager-operator_11_deployment.yaml	Added pod template metadata annotation openshift.io/required-scc: hostaccess. Kept TLS secret volume optional: true. Normalized trailing newline.
RBAC: ClusterRoleBinding Added manifests/0000_26_cloud-controller-manager-operator_02_rbac_operator.yaml	Added ClusterRoleBinding system:openshift:scc:hostaccess:cloud-controller-manager-operator binding openshift-cloud-controller-manager-operator/cluster-cloud-controller-manager ServiceAccount to ClusterRole system:openshift:scc:hostaccess (adds capability/release annotations).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 10

✅ Passed checks (10 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding a pod annotation for SCC hostaccess requirement, which is reflected in both the deployment annotation update and the new ClusterRoleBinding for hostaccess permissions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Stable And Deterministic Test Names	✅ Passed	PR only modifies YAML manifest files for Kubernetes deployment configuration and does not introduce or change any Ginkgo test definitions.
Test Structure And Quality	✅ Passed	Check is not applicable to this PR. The PR only modifies Kubernetes manifest YAML files with no changes to any Ginkgo test code.
Microshift Test Compatibility	✅ Passed	PR contains only Kubernetes manifest changes (YAML files) for deployment configuration and RBAC setup, with no new Ginkgo e2e tests.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	The custom check for Single Node OpenShift (SNO) Test Compatibility is not applicable to this pull request. The PR modifies OpenShift manifest configuration files (YAML deployments and RBAC resources) to add security context constraint annotations and bindings, but does not add any new Ginkgo e2e tests. Since no test code is being added, there are no test assumptions to validate against SNO cluster requirements.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds SCC annotation and RBAC permissions without introducing scheduling constraints, node selectors, affinity rules, or topology-specific logic incompatible with SNO, Two-Node, or HyperShift deployments.
Ote Binary Stdout Contract	✅ Passed	The pull request only modifies Kubernetes manifest YAML files (deployment and RBAC configuration) and does not make any changes to Go source code. The OTE Binary Stdout Contract check applies to stdout writes in process-level Go code. Since there are no Go code changes, the check does not apply.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR modifies only Kubernetes YAML manifest files to add pod annotations and RBAC configurations. The custom check applies to new Ginkgo e2e tests in Go test code. Since this PR contains no new Ginkgo e2e tests or Go test code modifications, the check is not applicable and passes.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign theobarberbany for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@manifests/0000_26_cloud-controller-manager-operator_11_deployment.yaml`:
- Line 24: The deployment's pod template annotation openshift.io/required-scc:
restricted-v2 is incompatible with the pod spec (it uses hostNetwork: true and
the hostPath volume host-etc-kube), so update the openshift.io/required-scc
annotation on the Deployment's pod template metadata to an SCC that allows
hostNetwork and/or hostPath (for example hostnetwork-v2 or hostaccess), or
alternatively remove hostNetwork: true and the hostPath volume from the Pod spec
(refer to the Deployment/pod template and the hostNetwork and host-etc-kube
hostPath entries to apply the appropriate change).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 8a033931-ca11-4061-9647-b70ec3add89e

📥 Commits

Reviewing files that changed from the base of the PR and between 9240e39 and 4c8864f.

📒 Files selected for processing (1)

• manifests/0000_26_cloud-controller-manager-operator_11_deployment.yaml

[damdo]

/hold

I think this might be a fair point: #450 (comment)

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@manifests/0000_26_cloud-controller-manager-operator_11_deployment.yaml`:
- Line 24: The PR title and manifest disagree: the annotation key
openshift.io/required-scc currently equals hostnetwork-v2 but the PR
title/description claim restricted-v2; either change the annotation value in the
Deployment manifest to restricted-v2 if that was intended (ensure compatibility
with prior review notes) or update the PR title and description to accurately
state hostnetwork-v2; locate the annotation entry openshift.io/required-scc in
the manifest and make the consistent change so code and PR metadata match.
- Line 24: The pod's annotation openshift.io/required-scc: hostnetwork-v2
conflicts with the pod's hostPath volume that mounts /etc/kubernetes (the
hostPath volume block and the container's volumeMount for /etc/kubernetes);
replace the SCC value with one that permits both hostNetwork and hostPath (e.g.,
hostaccess or hostmount-anyuid-v2) by updating the openshift.io/required-scc
annotation to that SCC name so admission will allow the hostPath mount while
preserving hostNetwork usage.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 63f79373-8e6c-4e4f-9c06-2c8b713f1f12

📥 Commits

Reviewing files that changed from the base of the PR and between 4c8864f and 95fba41.

📒 Files selected for processing (1)

• manifests/0000_26_cloud-controller-manager-operator_11_deployment.yaml

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@manifests/0000_26_cloud-controller-manager-operator_11_deployment.yaml`:
- Line 24: The manifest sets openshift.io/required-scc: hostaccess for the pod
but no ClusterRoleBinding grants the ServiceAccount permission to use that SCC;
create a ClusterRoleBinding that binds the built-in SCC use role
(system:openshift:scc:hostaccess) to the ServiceAccount
cluster-cloud-controller-manager in the
openshift-cloud-controller-manager-operator namespace (i.e., bind
system:serviceaccount:openshift-cloud-controller-manager-operator:cluster-cloud-controller-manager
to system:openshift:scc:hostaccess) so the pod can pass SCC admission.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 42674bb1-911a-42ad-a89f-ff0df8fb4243

📥 Commits

Reviewing files that changed from the base of the PR and between 95fba41 and 7c4b24a.

📒 Files selected for processing (1)

• manifests/0000_26_cloud-controller-manager-operator_11_deployment.yaml

[openshift-ci]

@damdo: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[damdo]

/test ?

[openshift-ci]

@damdo: The following commands are available to trigger required jobs:

/test e2e-aws-ovn

/test e2e-aws-ovn-upgrade

/test fmt

/test images

/test lint

/test okd-scos-images

/test unit

/test vendor

/test verify-deps

/test vet

The following commands are available to trigger optional jobs:

/test e2e-aws-ovn-techpreview

/test e2e-azure-manual-oidc

/test e2e-azure-ovn

/test e2e-azure-ovn-upgrade

/test e2e-gcp-ovn

/test e2e-gcp-ovn-upgrade

/test e2e-ibmcloud-ovn

/test e2e-nutanix-ovn

/test e2e-openstack-ovn

/test e2e-vsphere-ovn

/test level0-clusterinfra-azure-ipi-proxy-tests

/test okd-scos-e2e-aws-ovn

/test regression-clusterinfra-vsphere-ipi-ccm

Use /test all to run the following jobs that were automatically triggered:

pull-ci-openshift-cluster-cloud-controller-manager-operator-main-e2e-aws-ovn

pull-ci-openshift-cluster-cloud-controller-manager-operator-main-e2e-aws-ovn-upgrade

pull-ci-openshift-cluster-cloud-controller-manager-operator-main-fmt

pull-ci-openshift-cluster-cloud-controller-manager-operator-main-images

pull-ci-openshift-cluster-cloud-controller-manager-operator-main-level0-clusterinfra-azure-ipi-proxy-tests

pull-ci-openshift-cluster-cloud-controller-manager-operator-main-lint

pull-ci-openshift-cluster-cloud-controller-manager-operator-main-okd-scos-images

pull-ci-openshift-cluster-cloud-controller-manager-operator-main-unit

pull-ci-openshift-cluster-cloud-controller-manager-operator-main-vendor

pull-ci-openshift-cluster-cloud-controller-manager-operator-main-verify-deps

pull-ci-openshift-cluster-cloud-controller-manager-operator-main-vet

Details

In response to this:

/test ?

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[damdo]

/unhold