CNTRLPLANE-3387: Update list of pending namespaces in the required-scc monitor test

[liouk]

Removing fixed namespaces from the pending list. This effectively means that the test will now be enforced on those as well by failing when a workload w/o SCC pinning is detected by the test.

Summary by CodeRabbit

• Tests
  • Refined security constraint monitoring coverage for cluster namespaces.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

[openshift-ci-robot]

@liouk: This pull request references CNTRLPLANE-876 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

The pull request narrows the set of namespaces tracked for pending SCC pinning in a monitor test from multiple entries to four specific ones: openshift-image-registry, openshift-ingress, openshift-insights, and openshift-machine-api.

Changes

SCC Pinning Monitor Configuration

Layer / File(s)	Summary
Configuration Update pkg/monitortests/authentication/requiredsccmonitortests/monitortest.go	namespacesWithPendingSCCPinning list is reduced to four namespaces, removing entries for openshift-cluster-version, openshift-ingress-canary, openshift-ingress-operator, openshift-monitoring, and others.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR only modifies the namespacesWithPendingSCCPinning list, not test names. No changes to It(), Describe(), Context(), When(), or any test title definitions.
Test Structure And Quality	✅ Passed	PR updates only namespace data, not test code. This is a MonitorTest analyzer, not Ginkgo test code. No test structure, logic, or quality changes. Custom check inapplicable to this PR.
Microshift Test Compatibility	✅ Passed	PR does not add new Ginkgo e2e tests. It only modifies a data variable in an existing monitor test. The check applies only to new Ginkgo tests, so it does not apply here.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR modifies a configuration variable in a monitor test framework component, not adding new Ginkgo e2e tests. SNO compatibility check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	This PR modifies only a test file with no deployment manifests, operators, or controllers. The change updates a namespace list variable for test flaking logic, introducing no scheduling constraints.
Ote Binary Stdout Contract	✅ Passed	PR modifies only namespacesWithPendingSCCPinning variable initialization, removing 4 namespaces. No stdout operations at process level. No OTE Binary Stdout Contract violations.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added. The PR modifies only a monitor test configuration variable. The check applies only to new Ginkgo tests.
Title check	✅ Passed	The title clearly and specifically describes the main change: updating the list of pending namespaces in the required-scc monitor test, which aligns with the changeset's primary objective.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[openshift-ci-robot]

@liouk: This pull request references CNTRLPLANE-3387 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary by CodeRabbit

• Tests
• Refined security constraint monitoring coverage for cluster namespaces.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[liouk]

/jira refresh

[openshift-ci-robot]

@liouk: This pull request references CNTRLPLANE-3387 which is a valid jira issue.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[everettraven]

/lgtm

[ehearne-redhat]

/retest-required

[ehearne-redhat]

/lgtm

Nit: How do we know these namespaces are fixed completely?

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ehearne-redhat, everettraven, liouk
Once this PR has been reviewed and has the lgtm label, please assign jogeo for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[liouk]

namespace	fix PR	5.0 tests
openshift-cluster-version	openshift/cluster-version-operator#1038, openshift/cluster-version-operator#1106	sippy link
openshift-ingress-operator	openshift/cluster-ingress-operator#1031	sippy link
openshift-ingress-canary	openshift/cluster-ingress-operator#1031	sippy link
openshift-monitoring	openshift/cluster-monitoring-operator#2498	sippy link

/verified by @liouk

[openshift-ci-robot]

@liouk: This PR has been marked as verified by @liouk.

Details

In response to this:

namespace	fix PR	5.0 tests
openshift-cluster-version	openshift/cluster-version-operator#1038, openshift/cluster-version-operator#1106	sippy link
openshift-ingress-operator	openshift/cluster-ingress-operator#1031	sippy link
openshift-ingress-canary	openshift/cluster-ingress-operator#1031	sippy link
openshift-monitoring	openshift/cluster-monitoring-operator#2498	sippy link

/verified by @liouk

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[liouk]

@ehearne-redhat take a look at my previous comment; recent sippy runs show no failures, plus I've located the PRs that fixed the outstanding workloads. Removing these namespaces from the pending list means that in case any new/unfixed workload is detected, we'll get a failure and this should surface in component readiness for the appropriate component.

[openshift-ci]

@liouk: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.