Merge pull request #362 from tnierman/osd-28850

openshift-merge-bot[bot] · web-flow · commit 742fe1ed7033 · 2025-04-16T21:09:21.000Z
OSD-28850 - add the openshift-kube-apiserver-operator serviceaccount to the SCC allowlist
diff --git a/pkg/webhooks/scc/scc.go b/pkg/webhooks/scc/scc.go
@@ -36,6 +36,7 @@ var (
 		},
 	}
 	allowedUsers = []string{
+		"system:serviceaccount:openshift-kube-apiserver-operator:kube-apiserver-operator",
 		"system:serviceaccount:openshift-monitoring:cluster-monitoring-operator",
 		"system:serviceaccount:openshift-cluster-version:default",
 		"system:admin",
diff --git a/pkg/webhooks/scc/scc_test.go b/pkg/webhooks/scc/scc_test.go
@@ -169,6 +169,14 @@ func TestUser(t *testing.T) {
 			userGroups:      []string{"system:authenticated", "system:serviceaccounts:osde2e-abcde"},
 			shouldBeAllowed: false,
 		},
+		{
+			targetSCC:       "anyuid",
+			testID:          "kube-apiserver-operator-allowed",
+			username:        "system:serviceaccount:openshift-kube-apiserver-operator:kube-apiserver-operator",
+			operation:       admissionv1.Update,
+			userGroups:      []string{},
+			shouldBeAllowed: true,
+		},
 	}
 	runSCCTests(t, tests)
 }

Original file line number	Diff line number	Diff line change
`@@ -36,6 +36,7 @@ var (`
`36`	`36`	`},`
`37`	`37`	`}`
`38`	`38`	`allowedUsers = []string{`
	`39`	`+ "system:serviceaccount:openshift-kube-apiserver-operator:kube-apiserver-operator",`
`39`	`40`	`"system:serviceaccount:openshift-monitoring:cluster-monitoring-operator",`
`40`	`41`	`"system:serviceaccount:openshift-cluster-version:default",`
`41`	`42`	`"system:admin",`