kubevirt / hyperconverged-cluster-operator

72%

main: 77%

LAST BUILD ON BRANCH add_required_scc_annotation

branch: add_required_scc_annotation

CHANGE BRANCH

x

Reset

• add_required_scc_annotation
• 1.12_fix_ha_discovery
• 1.14_update_bump_bot_assignees
• 2.1_test
• CNV-50892
• CNV-55543
• CNV-56071
• CNV-56467-vmStateStorageClass-rwx-removal
• CNV-56467-vmStateStorageClass-rwx-removal-release-1.14
• CNV-56955
• CNV-59575
• CNV-61568
• CNV-62116
• CNV-64433
• InstancetypeReferencePolicy
• TerminationMessagePolicy
• aaq-reset
• add-alert-HCODICTWithNoSupportedArchitecture
• add-cluster-level-rbac-handlers
• add-liveUpdateConfiguration
• add-metric
• add-missing-ports-nob
• add-np-labels
• add-observability-controller-alerts
• add-sa-to-virt-dl
• add-sync-controller-image
• add-videoConfig-feature-to-hyper-converged
• add-wasp-related-monitoring
• add_alert_for_vms_with_deprecated_machine_type
• add_kmp_ranges_api
• alloc
• allow-running-smoke-on-4.18
• backport-3630
• backport-3630-1.13
• backport-3630-1.14
• backportf
• better-bump-kvci
• bump-deps-nightly
• bump-go-1.23
• bump-go-images-1.24
• bump-golang-1.24
• bump-golang.org/x/net
• bump-golang.org/x/net/html
• bump-golangci-lint
• bump-k8s-api-1.33
• bump-kubevirtci
• bump-linters
• bump-self-1.16
• bump-version-1.14.1
• bump-version-to-1.15
• bump_AAQ_v1.3.1_release-1.13
• bump_AAQ_v1.3.1_release-1.14
• bump_AAQ_v1.4.0_main
• bump_AAQ_v1.5.0_main
• bump_AAQ_v1.6.0_main
• bump_CDI_v1.18.0
• bump_CDI_v1.19.0
• bump_CDI_v1.20.1
• bump_CDI_v1.21.0
• bump_CDI_v1.22.0
• bump_CDI_v1.23.1
• bump_CDI_v1.23.2
• bump_CDI_v1.23.4
• bump_CDI_v1.23.5
• bump_CDI_v1.24.0
• bump_CDI_v1.24.1
• bump_CDI_v1.24.2
• bump_CDI_v1.25.0
• bump_CDI_v1.26.0
• bump_CDI_v1.26.1
• bump_CDI_v1.59.2_release-1.12
• bump_CDI_v1.60.5_release-1.13
• bump_CDI_v1.61.1_release-1.14
• bump_CDI_v1.61.2_main
• bump_CDI_v1.61.2_release-1.14
• bump_CDI_v1.61.4_main
• bump_CDI_v1.61.4_release-1.14
• bump_CDI_v1.61.5_main
• bump_CDI_v1.61.5_release-1.14
• bump_CDI_v1.62.0_main
• bump_CDI_v1.63.0-alpha.0_main
• bump_CNAO_v0.98.0
• bump_CSI_SNAPSHOT_v8.1.1_release-1.13
• bump_CSI_SNAPSHOT_v8.2.0_main
• bump_CSI_SNAPSHOT_v8.2.1_main
• bump_CSI_SNAPSHOT_v8.2.1_release-1.14
• bump_CSI_SNAPSHOT_v8.3.0_main
• bump_HPPO_v0.22.0_main
• bump_HPPO_v0.23.0_main
• bump_HPPO_v0.4.2
• bump_HPPO_v0.4.3
• bump_HPPO_v0.5.0
• bump_HPPO_v0.5.2
• bump_HPPO_v0.6.0
• bump_HPP_v0.22.0_main
• bump_HPP_v0.23.0_main
• bump_HPP_v0.5.1
• bump_KUBEVIRT_CONSOLE_PLUGIN_v4.18.0_main
• bump_KUBEVIRT_CONSOLE_PLUGIN_v4.19.0_main
• bump_KUBEVIRT_v0.29.0
• bump_KUBEVIRT_v0.30.0-rc.1
• bump_KUBEVIRT_v0.30.0-rc.2
• bump_KUBEVIRT_v0.30.1
• bump_KUBEVIRT_v0.30.2
• bump_KUBEVIRT_v0.30.3
• bump_KUBEVIRT_v0.31.0-rc.1
• bump_KUBEVIRT_v0.32.0-rc.2
• bump_KUBEVIRT_v0.33.0-rc.0
• bump_KUBEVIRT_v0.35.0-rc.0
• bump_KUBEVIRT_v0.36.0-rc.0
• bump_KUBEVIRT_v0.59.2_release-1.8
• bump_KUBEVIRT_v1.4.1_release-1.14
• bump_KUBEVIRT_v1.5.0-alpha.0_main
• bump_KUBEVIRT_v1.5.0-beta.0_main
• bump_KUBEVIRT_v1.5.0-rc.0_main
• bump_KUBEVIRT_v1.5.0-rc.1_main
• bump_KUBEVIRT_v1.5.0-rc.2_main
• bump_KUBEVIRT_v1.5.0_main
• bump_KUBEVIRT_v1.5.1_release-1.15
• bump_KUBEVIRT_v1.5.2_release-1.15
• bump_KUBEVIRT_v1.6.0-alpha.0_main
• bump_KUBEVIRT_v1.6.0-beta.0_main
• bump_KUBEVIRT_v1.6.0-rc.0_main
• bump_KUBEVIRT_v1.6.0-rc.1_main
• bump_KUBEVIRT_v1.6.0_main
• bump_KUBEVIRT_v1.6.1_release-1.16
• bump_KUBEVIRT_v1.7.0-alpha.0_main
• bump_LIVENESS_PROBE_v2.15.0_main
• bump_LIVENESS_PROBE_v2.17.0_main
• bump_NETWORK_ADDONS_0.37.0
• bump_NETWORK_ADDONS_0.38.0
• bump_NETWORK_ADDONS_0.39.0
• bump_NETWORK_ADDONS_0.39.2
• bump_NETWORK_ADDONS_0.40.0
• bump_NETWORK_ADDONS_0.41.0
• bump_NETWORK_ADDONS_v0.100.0-rc0_main
• bump_NETWORK_ADDONS_v0.100.0-rc1_main
• bump_NETWORK_ADDONS_v0.100.0_main
• bump_NETWORK_ADDONS_v0.100.1_main
• bump_NETWORK_ADDONS_v0.100.2_main
• bump_NETWORK_ADDONS_v0.42.1
• bump_NETWORK_ADDONS_v0.42.2
• bump_NETWORK_ADDONS_v0.42.3
• bump_NETWORK_ADDONS_v0.42.4
• bump_NETWORK_ADDONS_v0.97.0_main
• bump_NETWORK_ADDONS_v0.97.4_release-1.14
• bump_NETWORK_ADDONS_v0.97.5_release-1.14
• bump_NETWORK_ADDONS_v0.97.6_release-1.14
• bump_NETWORK_ADDONS_v0.98.1_main
• bump_NETWORK_ADDONS_v0.98.2_main
• bump_NETWORK_ADDONS_v0.99.0_main
• bump_NETWORK_ADDONS_v0.99.1_main
• bump_NMO_v0.7.0
• bump_NODE_DRIVER_REG_v2.13.0_main
• bump_NODE_DRIVER_REG_v2.14.0_main
• bump_SSP_v0.22.1_main
• bump_SSP_v0.22.2_main
• bump_SSP_v0.22.2_release-1.14
• bump_SSP_v0.22.3_main
• bump_SSP_v0.22.3_release-1.14
• bump_SSP_v0.23.0_main
• bump_SSP_v0.23.1_main
• bump_SSP_v0.23.1_release-1.15
• bump_SSP_v0.24.0-alpha.0_main
• bump_SSP_v0.24.0_main
• bump_SSP_v0.24.1_main
• bump_SSP_v0.24.1_release-1.16
• bump_SSP_v1.0.32
• bump_SSP_v1.0.36
• bump_SSP_v1.0.37
• bump_SSP_v1.2.0
• bump_VM_IMPORT_v0.0.3
• bump_VM_IMPORT_v0.0.4
• bump_VM_IMPORT_v0.1.0
• bump_cdi_1.61.1_main
• bump_cnao_0391
• bump_hco_to_v1.17.0
• bump_k8s_0.32
• cherry-pick-3155-to-release-1.13
• cherry-pick-3174-to-release-1.13
• cherry-pick-3186-to-release-1.13
• cherry-pick-3211-to-release-1.12
• cherry-pick-3211-to-release-1.13
• cherry-pick-3219-to-release-1.13
• cherry-pick-3220-to-release-1.14
• cherry-pick-3242-to-release-1.14
• cherry-pick-3245-to-release-1.14
• cherry-pick-3249-to-release-1.14
• cherry-pick-3262-to-release-1.14
• cherry-pick-3272-to-1.14
• cherry-pick-3283-to-release-1.14
• cherry-pick-3289-to-release-1.14
• cherry-pick-3291-to-release-1.13
• cherry-pick-3332-to-release-1.14
• cherry-pick-3360-to-release-1.14
• cherry-pick-3379-to-release-1.13
• cherry-pick-3379-to-release-1.14
• cherry-pick-3385-1.13
• cherry-pick-3476-to-release-1.15
• cherry-pick-3482-to-release-1.15
• cherry-pick-3494-to-release-1.13
• cherry-pick-3494-to-release-1.14
• cherry-pick-3494-to-release-1.15
• cherry-pick-3512-to-release-1.14
• cherry-pick-3512-to-release-1.15
• cherry-pick-3533-to-release-1.14
• cherry-pick-3533-to-release-1.15
• cherry-pick-3554-to-release-1.15
• cherry-pick-3570-to-release-1.15
• cherry-pick-3592-to-release-1.15
• cherry-pick-3647-to-release-1.14
• cherry-pick-3647-to-release-1.15
• cherry-pick-3736-to-release-1.16
• cherry-pick-3744-to-release-1.16
• cherry-pick-3753-to-release-1.16
• cherry-pick-3764-to-release-1.16
• cherry-pick-3766-to-release-1.16
• cherrypick_3294_to_release_1.14
• chore-refactorings
• cleanup-upgrade
• cli-dl-health
• cna-def-net-nad
• cnao-in-nightly
• cnv-65873
• common-instancetypes-config
• common-instancetypes-config-release-1.14
• create-nightly-floating-tag
• customize-dl-link
• debug-e2e-alerts
• debug-flacky-test
• debug-flaky
• debug-kv-1.6.0
• debug_kv_1.6
• declarative-hotplug
• default_eviction_strategy_none_for_arm_clusters
• defaults/adapt-completionTimeoutPerGiB-to-kubevirt
• dependabot/go_modules/github.com/docker/docker-28.3.3incompatible
• dependabot/go_modules/github.com/golang-jwt/jwt/v5-5.2.2
• dependabot/go_modules/tools/release-notes/git/golang.org/x/crypto-0.31.0
• dependabot/go_modules/tools/release-notes/github.com/cloudflare/circl-1.6.1
• dependabot/go_modules/tools/release-notes/github.com/golang/glog-1.2.4
• dependabot/go_modules/tools/release-notes/golang.org/x/net-0.36.0
• dependabot/go_modules/tools/release-notes/golang.org/x/net-0.38.0
• dependabot/pip/tools/k8s-label-visualizer/requests-2.32.4
• dependabot/pip/tools/k8s-label-visualizer/urllib3-2.5.0
• deploy-wasp-agent-refactored
• descheduler_profile
• dict-arch-annotation-tool
• doc-multi-arch
• docker1
• drop_tls13_workaround
• dump-np-with-crd
• dump-py-deps
• dv_gc_deprecate
• e2e-alert-to
• e2e-dict-cleanup
• e2e-node-archs
• enable_cdi_webhook_pvc_rendering_featuregate
• enabled-bare-return
• fake-please-ignore
• fix--hco-health-metric
• fix-CNV-62721
• fix-CVE-2024-21626
• fix-CVE-2025-22870
• fix-assignees-in-action
• fix-bug-in-bearer-secret
• fix-bump-bot
• fix-bundle-issue
• fix-ci
• fix-ci-aws
• fix-community-release
• fix-delete-ssp
• fix-dict-annotation
• fix-disable-nic-alert
• fix-docgen
• fix-e2e-alertmanager
• fix-flacky
• fix-flaky
• fix-flaky-test
• fix-functest-flakiness
• fix-ha
• fix-hc-predicate
• fix-json
• fix-log
• fix-monitoring-functest
• fix-multi-arch-build
• fix-multi-arch-image-build
• fix-multi-arch-images
• fix-multi-archs-api
• fix-nightly
• fix-non-stand-alone-unit-tests
• fix-np-label
• fix-os-nightly
• fix-override-bot
• fix-publish-community
• fix-publish-job
• fix-push-artifacts-server-target
• fix-quantity-bug
• fix-rn-dependencies
• fix-script-name
• fix-time-slack
• fix-upgrade-test
• fix-wasp-alert
• fix-wh-metrics
• fix3360
• fix_HCOOperatorConditionsUnhealthy_alert
• fix_cert
• fix_infra_ha_no_masters
• fix_ingress_controller
• fix_ui_ipv6_singlestack
• force-recreate-metrics-endpoint-secret
• golangci-lint-v2
• golden-images-multi-arch
• improve-json-patch
• improve-slack-msg
• integration
• label-reconcile
• main
• main-fix-publish-job
• master
• metrics-port-8443
• minor_fix_3219
• move-DeployVMConsoleProxy-fg
• move-enableCommonBootImageImport-fg
• multi-arch-images
• mv-EnableApplicationAwareQuota
• mv-deployKubeSecondaryDNS
• mv-nightly-to-kubevirt-repo
• new-metric-multi-arch
• node-arches
• nodeplacement_no_masters
• np-in-manifests
• passt
• passtFG
• passtRefactor
• passt_e2e
• passt_with_ns
• patch-6
• pr-desc-for-bump-kvci
• pre-compute-crd
• prepare-image-url-params-for-wasp
• prepare_version_1.15.3
• r.15-fix-disable-nic-alert
• r1.10-add-avlitman
• r1.11-add-avlitman
• r1.12-remove-aadmi
• r1.13-fix-disable-nic-alert
• r1.14-fix-disable-nic-alert
• r1.14-fix-monitoring-linter
• r1.14_add_required_scc_annotation
• r1.15-revert-mv-deployKubeSecondaryDNS
• r1.8-add-avlitman
• r1.9-add-avlitman
• r110-bump-golang.org/x/net/html
• r111-allow-custom-labels-pc
• r111-bump-golang.org/x/net/html
• r112-allow-custom-labels-pc
• r112-bump-golang.org/x/net/html
• r113-bump-golang.org/x/net/html
• r113-fix-CVE-2025-30204
• r113-fix-ha
• r114-add-missing-upgrade-patch
• r114-bump_cnao_0.97.3
• r114-fix-CVE-2025-30204
• r114-fix-multi-arch
• r114-fix-publish-community
• r114-fix-sanity
• r114-multi-arch
• r115-fix-publish-community
• r115-fix-wh-metrics
• r116-bump_AAQ_v1.6.0
• r13_remove_old_ssp_apiversion_crd
• r18-bump-golang.org/x/net/html
• r19-bump-golang.org/x/net/html
• re-enable-vm-console-log
• re-revive
• readd-health-metric-test
• redeploy-pods
• refactor-operands
• release-0.4
• release-1.0
• release-1.1
• release-1.1.0
• release-1.10
• release-1.11
• release-1.12
• release-1.13
• release-1.14
• release-1.15
• release-1.15-bump-to-v1.15.2
• release-1.16
• release-1.2
• release-1.4
• release-1.5
• release-1.6
• release-1.7
• release-1.8
• release-1.9
• release-2.1
• release-2.2
• release-2.3
• release-2.4
• release-4.2
• release-4.3
• release-4.4
• release-4.5
• release-4.6
• release-4.7
• release-4.8
• rem_fg
• remove-cert-check-from-functests
• remove-deprecated-kv-fg
• remove-obselete-iss
• remove-operator-np
• remove-rwx-storage-class-line-main
• remove-sa-cert-usage-from-func-tests
• remove_old_ssp_apiversion_crd
• removelimitgate
• rename-passt-annotation
• renovate/go-github.com-cloudflare-circl-vulnerability
• renovate/go-github.com-docker-docker-vulnerability
• renovate/go-golang.org-x-oauth2-vulnerability
• renovate/main-go-golang.org-x-oauth2-vulnerability
• renovate/pypi-requests-vulnerability
• renovate/pypi-urllib3-vulnerability
• renovate/release-1.10-go-github.com-containers-image-v5-vulnerability
• renovate/release-1.10-go-github.com-docker-docker-vulnerability
• renovate/release-1.10-go-github.com-go-git-go-git-v5-vulnerability
• renovate/release-1.10-go-github.com-golang-glog-vulnerability
• renovate/release-1.10-go-github.com-opencontainers-runc-vulnerability
• renovate/release-1.10-go-github.com-u-root-u-root-vulnerability
• renovate/release-1.10-go-golang.org-x-crypto-vulnerability
• renovate/release-1.10-go-google.golang.org-protobuf-vulnerability
• renovate/release-1.10-pypi-certifi-vulnerability
• renovate/release-1.10-pypi-idna-vulnerability
• renovate/release-1.10-pypi-requests-vulnerability
• renovate/release-1.10-pypi-urllib3-vulnerability
• renovate/release-1.11-go-github.com-containers-image-v5-vulnerability
• renovate/release-1.11-go-github.com-docker-docker-vulnerability
• renovate/release-1.11-go-github.com-go-git-go-git-v5-vulnerability
• renovate/release-1.11-go-github.com-opencontainers-runc-vulnerability
• renovate/release-1.11-go-golang.org-x-crypto-vulnerability
• renovate/release-1.11-go-google.golang.org-protobuf-vulnerability
• renovate/release-1.11-pypi-idna-vulnerability
• renovate/release-1.11-pypi-requests-vulnerability
• renovate/release-1.12-go-github.com-containers-image-v5-vulnerability
• renovate/release-1.12-go-github.com-docker-docker-vulnerability
• renovate/release-1.12-go-github.com-go-git-go-git-v5-vulnerability
• renovate/release-1.12-go-github.com-golang-glog-vulnerability
• renovate/release-1.12-go-github.com-opencontainers-runc-vulnerability
• renovate/release-1.12-go-golang.org-x-crypto-vulnerability
• renovate/release-1.12-pypi-requests-vulnerability
• renovate/release-1.12-pypi-urllib3-vulnerability
• renovate/release-1.13-go-github.com-go-git-go-git-v5-vulnerability
• renovate/release-1.13-go-golang.org-x-crypto-vulnerability
• renovate/release-1.14-go-github.com-go-git-go-git-v5-vulnerability
• renovate/release-1.14-go-golang.org-x-crypto-vulnerability
• restore-dep-fgs
• retry-push
• retry-retag
• revert-310-drop_v2v_2.1
• revert-3525-bump_KUBEVIRT_v1.6.0-beta.0_main
• revert-429-gen-changed-predicate
• revert-466-ssp_v1.0.22
• revert-524-kv-pc
• revert-583-no_kubevirtnodelabellerbundles_ssp
• revert-mv-deployKubeSecondaryDNS
• revert/eviction_strategy_none_arm
• revert_passt
• rm-depracated-fg
• rm-ga-net-fg
• rm-mtq-crd
• rm-old-flags
• sanity-action
• secure-execution-gate
• set-kv-MultiArchitecture-fg
• set-multi-arch-fields-in-ssp
• set_cpumodel_upgrade_test
• skip_observability_tests_if_no_preconditions
• slack-bot
• split-crd-validation
• split-ha-from-cluster-info
• ssp-api-v1beta3
• stop-use-real-files-inunittests
• streaming
• sync-once-tests
• ui-network-policies
• update-NodeNetworkInterfaceDown-expression
• update-image-digests
• update_component_graphs
• upstream/bump_CDI_v1.20.1
• use-official-coveralls-action
• use-operator-observability-toolkit
• v0.0.4
• v0.3.0
• v0.3.1
• v0.4.0
• v1.0.0
• v1.1.0
• v1.2.0
• validate_bundles_remove_sudo

Build # 13107858167

Build Type

Pull #3284

github

Committed by orenc1

Commit Message

Add 'openshift.io/required-scc' annotation to pods

The OpenShift API dictates that a workload should require an SCC by using the  annotation:
https://docs.openshift.com/container-platform/4.17/authentication/managing-security-context-constraints.html#security-context-constraints-requiring_configuring-internal-oauth

'required-scc' prevents customers (or other extension provided) SCCs from being auto-selected by pods. The auto selection can fail in multiple ways: not enough permissions, changes of UID. When combined with pod security admission (on in new clusters in 4.19), this can result in SCCs being selected based on RBAC permissions that violate PSA and results in pods not running.

Signed-off-by: Oren Cohen <ocohen@redhat.com>

# Conflicts:
#	deploy/olm-catalog/community-kubevirt-hyperconverged/1.15.0/manifests/kubevirt-hyperconverged-operator.v1.15.0.clusterserviceversion.yaml

# Conflicts:
#	deploy/olm-catalog/community-kubevirt-hyperconverged/1.15.0/manifests/kubevirt-hyperconverged-operator.v1.15.0.clusterserviceversion.yaml

Pull Request Pull Request #3284: Add `openshift.io/required-scc` annotation to pods

Run Details

3 of 4 new or added lines in 2 files covered. (75.0%)

1 existing line in 1 file now uncovered.

6160 of 8565 relevant lines covered (71.92%)

0.79 hits per line