OCPBUGS-62799: Add required-scc annotation to node-joiner pod

[cetinerdev]

When a third-party SCC (e.g. Pure Storage CSI) with readOnlyRootFilesystem: true and higher priority is broadly accessible via RBAC, the SCC admission controller may assign it to the node-joiner pod instead of restricted-v2. This causes the node-joiner tool to fail with 'read-only file system' errors when writing to /tmp.

Adding the openshift.io/required-scc annotation ensures restricted-v2 is always assigned regardless of other SCCs' priority or restrictiveness, as required by the custom SCC preemption prevention enhancement:
https://github.com/openshift/enhancements/blob/master/enhancements/authentication/custom-scc-preemption-prevention.md

[openshift-ci-robot]

@cetinerdev: This pull request references Jira Issue OCPBUGS-62799, which is invalid:

• expected the bug to target the "4.22.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

When a third-party SCC (e.g. Pure Storage CSI) with readOnlyRootFilesystem: true and higher priority is broadly accessible via RBAC, the SCC admission controller may assign it to the node-joiner pod instead of restricted-v2. This causes the node-joiner tool to fail with 'read-only file system' errors when writing to /tmp.

Adding the openshift.io/required-scc annotation ensures restricted-v2 is always assigned regardless of other SCCs' priority or restrictiveness, as required by the custom SCC preemption prevention enhancement:
https://github.com/openshift/enhancements/blob/master/enhancements/authentication/custom-scc-preemption-prevention.md

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: db7b7ff5-3aeb-42d6-be7d-a7e9efa6beb9

📥 Commits

Reviewing files that changed from the base of the PR and between 05fa7bb and e920e51.

📒 Files selected for processing (3)

• pkg/cli/admin/nodeimage/create.go
• pkg/cli/admin/nodeimage/create_test.go
• pkg/cli/admin/nodeimage/monitor.go

---

Walkthrough

Three files in the node image package add the openshift.io/required-scc: restricted-v2 annotation to node-joiner pod specifications in the create and monitor components, with a corresponding test case verifying the annotation presence.

Changes

Cohort / File(s)	Summary
Pod Annotation Updates pkg/cli/admin/nodeimage/create.go, pkg/cli/admin/nodeimage/monitor.go	Added openshift.io/required-scc: restricted-v2 annotation to node-joiner pod metadata in both create and monitor functions.
Test Coverage pkg/cli/admin/nodeimage/create_test.go	New test case added to TestRun verifying the node-joiner pod contains the openshift.io/required-scc annotation with value restricted-v2.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

You can enable review details to help with troubleshooting, context usage and more.

Enable the reviews.review_details setting to include review details such as the model used, the time taken for each step and more in the review comments.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: cetinerdev
Once this PR has been reviewed and has the lgtm label, please assign andfasano for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• pkg/cli/admin/nodeimage/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @cetinerdev. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.