WIP: CNTRLPLANE-3386: Required scc annotation checker updates

[liouk]

This PR does the following updates in the required-scc-annotation-checker monitor test:

1. Ignores runlevel and system namespaces instead of flaking
2. Removes list of pending namespaces; all remaining namespaces have been fixed, therefore we do not need to carry this exception mechanism any longer.

Summary by CodeRabbit

Summary by CodeRabbit

• Bug Fixes
  • Improved required-SCC monitoring test accuracy by refining namespace selection to skip managed/service, system, and run-level namespaces, reducing false positives.
  • Removed the previous special-case handling for namespaces related to pending SCC pinning, simplifying expected results and making the test outcomes more consistent.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

[openshift-ci-robot]

@liouk: This pull request references CNTRLPLANE-3386 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "5.0.0" version, but no target version was set.

Details

In response to this:

This PR does the following updates in the required-scc-annotation-checker monitor test:

1. Ignores CatalogSource pods. CatalogSource objects spawn a pod that serves operator metadata for OLM discovery purposes; however the API does not expose a way to configure pod template annotations. Therefore we have to ignore catalog sources from the required-scc invariant.
2. Ignores runlevel namespaces instead of flaking
3. Removes list of pending namespaces; all remaining namespaces have been fixed, therefore we do not need to carry this exception mechanism any longer.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

monitortest.go now centralizes namespace skipping in shouldSkipNamespace, applies that check in CollectData, and removes the extra successful JUnit entry that was previously added for skipped namespaces.

Changes

Required-SCC Monitor Filtering

Layer / File(s)	Summary
Namespace skip rules pkg/monitortests/authentication/requiredsccmonitortests/monitortest.go	Removes the hardcoded pending-SCC namespace set and adds shouldSkipNamespace with checks for managed service namespaces, systemNamespaces, openshift.io/run-level, and namespace-name prefixes.
CollectData filtering pkg/monitortests/authentication/requiredsccmonitortests/monitortest.go	Replaces inline namespace filtering with shouldSkipNamespace in CollectData and deletes the extra successful JUnit case for skipped namespaces.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title is clearly related to the main change and identifies the required SCC annotation checker updates.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PASS: The touched file has no Ginkgo It/Describe/Context/When titles; the changes are namespace filtering and JUnit case naming only.
Test Structure And Quality	✅ Passed	Not applicable: the change is a monitor analyzer, not Ginkgo test code, so the listed test-structure checks don’t apply.
Microshift Test Compatibility	✅ Passed	PASS: The only changed file is a monitor test helper; it adds no Ginkgo It/Describe/Context/When blocks and no unsupported MicroShift APIs.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	Not a Ginkgo e2e test: the changed file is a monitor analyzer with no It/Describe/Context/When blocks or node-topology assumptions.
Topology-Aware Scheduling Compatibility	✅ Passed	Only a monitor test file changed; it filters namespaces/pods and adds no scheduling constraints, replicas, affinities, or node selectors.
Ote Binary Stdout Contract	✅ Passed	The PR only changes analyzer logic in a non-entrypoint file; no main/init/TestMain/RunSpecs setup or stdout-printing calls exist in the touched package.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PASS: The touched file is a monitor-test collector, not a new Ginkgo e2e test, and it adds no IPv4/external-network assumptions.
No-Weak-Crypto	✅ Passed	Touched file only updates namespace filtering; it imports no crypto packages and contains no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB or secret/token comparisons.
Container-Privileges	✅ Passed	PR only changes a Go monitor test; no container/K8s manifests or privilege-related settings were introduced.
No-Sensitive-Data-In-Logs	✅ Passed	PASS: The only emitted messages are JUnit failure strings with pod/namespace/SCC names; no passwords, tokens, PII, or other sensitive data are logged.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: liouk
Once this PR has been reviewed and has the lgtm label, please assign smg247 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/monitortests/authentication/requiredsccmonitortests/monitortest.go`:
- Line 84: The pod filtering in CollectData only skips entire namespaces, so
CatalogSource-owned pods in allowed namespaces still reach the SCC validation
path. Update the pod-processing logic in CollectData to add an explicit owner
check for CatalogSource before calling the RequiredSCCAnnotation validation,
using the existing namespace skip helper and the pod iteration flow to keep the
exclusion at the pod level.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 7d959271-f444-4097-bcc5-f7dc5f1c240e

📥 Commits

Reviewing files that changed from the base of the PR and between b9ff22b and 51eaa69.

📒 Files selected for processing (1)

• pkg/monitortests/authentication/requiredsccmonitortests/monitortest.go

[coderabbitai]

🎯 Functional Correctness | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify the required-scc monitor has an explicit CatalogSource pod exclusion.
# Expected: a match that skips/continues CatalogSource-owned pods before required SCC validation.
rg -n -C4 --type go 'CatalogSource|catalogsource|OwnerReference|ownerReferences|RequiredSCCAnnotation' pkg/monitortests/authentication/requiredsccmonitortests/monitortest.go

Repository: openshift/origin

Length of output: 1589

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the monitor implementation around the validation loop and namespace skip logic.
sed -n '1,260p' pkg/monitortests/authentication/requiredsccmonitortests/monitortest.go

Repository: openshift/origin

Length of output: 6351

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the monitor implementation around the validation loop and namespace skip logic.
sed -n '1,260p' pkg/monitortests/authentication/requiredsccmonitortests/monitortest.go

Repository: openshift/origin

Length of output: 6351

---

Add a pod-level CatalogSource skip. CollectData only filters namespaces here; pods in included namespaces still go through the SCC checks, so CatalogSource-owned pods are not excluded. Add an explicit pod-owner check before validating RequiredSCCAnnotation.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/monitortests/authentication/requiredsccmonitortests/monitortest.go` at
line 84, The pod filtering in CollectData only skips entire namespaces, so
CatalogSource-owned pods in allowed namespaces still reach the SCC validation
path. Update the pod-processing logic in CollectData to add an explicit owner
check for CatalogSource before calling the RequiredSCCAnnotation validation,
using the existing namespace skip helper and the pod iteration flow to keep the
exclusion at the pod level.

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[openshift-ci]

@liouk: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-ovn-serial-2of2	51eaa69	link	true	/test e2e-aws-ovn-serial-2of2
ci/prow/e2e-aws-ovn-fips	51eaa69	link	true	/test e2e-aws-ovn-fips
ci/prow/e2e-metal-ipi-ovn-ipv6	51eaa69	link	true	/test e2e-metal-ipi-ovn-ipv6
ci/prow/e2e-vsphere-ovn	51eaa69	link	true	/test e2e-vsphere-ovn
ci/prow/e2e-gcp-ovn	51eaa69	link	true	/test e2e-gcp-ovn
ci/prow/e2e-aws-ovn-serial-1of2	51eaa69	link	true	/test e2e-aws-ovn-serial-1of2

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.