Skip to content

CMP-3915: Update SCC variable to include new SCCs for 4.20 #14104

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

CMP-3915: Update SCC variable to include new SCCs for 4.20 #14104

wants to merge 1 commit into from

Conversation

@rhmdnd
Copy link
Collaborator

@rhmdnd rhmdnd commented Nov 7, 2025

4.20 ships with two new SCCs that allow additional capabilities. Let's
add them to the variable so we don't get false positives on scans
running on OCP 4.20.

@rhmdnd
CMP-3915: Update SCC variable to include new SCCs for 4.20
ef522d8 
4.20 ships with two new SCCs that allow additional capabilities. Let's
add them to the variable so we don't get false positives on scans
running on OCP 4.20.
Vincent056
Vincent056 approved these changes Nov 7, 2025
View reviewed changes
Copy link
Contributor

@Vincent056 Vincent056 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@Anna-Koudelkova
Copy link
Collaborator

Anna-Koudelkova commented Nov 7, 2025
edited
Loading

Premerge verification passed on OCP 4.20 + CO 1.8.0. + content built from this PR 14104:

  1. Create ssb:
$ oc compliance bind -N ocp4 profile/ocp4-cis
Creating ScanSettingBinding ocp4
$ oc compliance bind -N upstream profile/upstream-ocp4-cis
Creating ScanSettingBinding upstream
  1. Wait for the scans to finish and check the results:
$ oc get suite 
NAME       PHASE   RESULT
ocp4       DONE    NON-COMPLIANT
upstream   DONE    NON-COMPLIANT

$ oc get ccr |grep scc-limit-container-allowed-capabilities
ocp4-cis-scc-limit-container-allowed-capabilities                          FAIL     medium
upstream-ocp4-cis-scc-limit-container-allowed-capabilities                 PASS     medium
  1. Check the variable values:
$ oc get variable ocp4-var-sccs-with-allowed-capabilities-regex -ojsonpath='{.value}' -n openshift-compliance
^privileged$|^hostnetwork-v2$|^restricted-v2$|^nonroot-v2$|^insights-runtime-extractor-scc$

$ oc get variable upstream-ocp4-var-sccs-with-allowed-capabilities-regex -ojsonpath='{.value}' -n openshift-compliance
^privileged$|^hostnetwork-v2$|^restricted-v2$|^restricted-v3$|^nonroot-v2$|^insights-runtime-extractor-scc|^nested-container$

Anna-Koudelkova
Anna-Koudelkova approved these changes Nov 7, 2025
View reviewed changes
Copy link
Collaborator

@Anna-Koudelkova Anna-Koudelkova left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci
Copy link

openshift-ci bot commented Nov 7, 2025

@rhmdnd: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-openshift-platform-compliance ef522d8 link true /test e2e-aws-openshift-platform-compliance
ci/prow/e2e-aws-openshift-node-compliance ef522d8 link true /test e2e-aws-openshift-node-compliance

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Vincent056 Vincent056 Vincent056 approved these changes

+1 more reviewer

@Anna-Koudelkova Anna-Koudelkova Anna-Koudelkova approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rhmdnd @Anna-Koudelkova @Vincent056