OCPBUGS-85106: Add required-scc annotation to EFS and SMB operator deployments

[liouk]

Failing sippy tests: https://sippy.dptools.openshift.org/sippy-ng/tests/5.0/analysis?test=%5BMonitor%3Arequired-scc-annotation-checker%5D%5Bsig-auth%5D%20all%20workloads%20in%20ns%2Fopenshift-cluster-csi-drivers%20must%20set%20the%20%27openshift.io%2Frequired-scc%27%20annotation

We're planning on fixing all remaining workloads in ns/openshift-cluster-csi-drivers so that we can drop the exception from the required-scc-annotation-checker monitor test.

[openshift-ci-robot]

@liouk: This pull request references Jira Issue OCPBUGS-85106, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Failing sippy tests: https://sippy.dptools.openshift.org/sippy-ng/tests/5.0/analysis?test=%5BMonitor%3Arequired-scc-annotation-checker%5D%5Bsig-auth%5D%20all%20workloads%20in%20ns%2Fopenshift-cluster-csi-drivers%20must%20set%20the%20%27openshift.io%2Frequired-scc%27%20annotation

We're planning on fixing all remaining workloads in ns/openshift-cluster-csi-drivers so that we can drop the exception from the required-scc-annotation-checker monitor test.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: fc89054e-2370-4e63-814b-9662972e9ff0

📥 Commits

Reviewing files that changed from the base of the PR and between d768b79 and a7bcd01.

📒 Files selected for processing (2)

• config/aws-efs/manifests/stable/aws-efs-csi-driver-operator.clusterserviceversion.yaml
• config/samba/manifests/stable/smb-csi-driver-operator.clusterserviceversion.yaml

---

📝 Walkthrough

Walkthrough

Two ClusterServiceVersion manifests receive a single-line addition each: the pod template metadata annotations block of the aws-efs-csi-driver-operator and smb-csi-driver-operator Deployments now include openshift.io/required-scc: restricted-v2. No other fields in either manifest are modified.

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: adding the required-scc annotation to EFS and SMB operator deployments, which matches the actual modifications in both manifest files.
Description check	✅ Passed	The description is directly related to the changeset, explaining the motivation (failing Sippy tests requiring the openshift.io/required-scc annotation) and the goal of fixing remaining workloads to remove an exception.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This PR contains no Ginkgo test files or test name modifications; it only changes YAML manifest files to add SCC annotations, making the check inapplicable.
Test Structure And Quality	✅ Passed	PR contains only YAML manifest changes (adding SCC annotations), not Ginkgo test code. Check not applicable to manifest-only changes.
Microshift Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR; only YAML manifest files are modified to add a security annotation.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR adds SCC annotations to CSI operator manifests only. No new Ginkgo e2e tests (It, Describe, Context, When) are added, so SNO test compatibility check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	The PR only adds openshift.io/required-scc: restricted-v2 security annotations to operator pod templates. This is not a scheduling constraint. Existing affinity is already topology-aware: preferr...
Ote Binary Stdout Contract	✅ Passed	This PR only modifies Kubernetes manifest YAML files to add SCC annotations, not process-level code that could emit stdout. The OTE stdout contract check is inapplicable to declarative configuratio...
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR only modifies YAML manifests to add security context annotations; no Ginkgo e2e tests are added, making this check inapplicable.
No-Weak-Crypto	✅ Passed	PR adds only YAML manifest annotations for security constraints; no cryptographic code implementations are present.
Container-Privileges	✅ Passed	Both manifests follow secure container practices with allowPrivilegeEscalation: false, runAsNonRoot: true, readOnlyRootFilesystem: true, and capabilities: drop: [ALL]. No privileged: true, hostPID,...
No-Sensitive-Data-In-Logs	✅ Passed	The PR only adds security annotation metadata to pod templates in YAML manifests. No logging statements containing sensitive data (passwords, tokens, API keys, PII, etc.) are present in the changes.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[jsafrane]

/lgtm
/approve
/verified by CI
no regressions found by efs and smb jobs, the operator is able to run as restricted-v2.
/retest-required

[openshift-ci-robot]

@jsafrane: This PR has been marked as verified by CI.

Details

In response to this:

/lgtm
/approve
/verified by CI
no regressions found by efs and smb jobs, the operator is able to run as restricted-v2.
/retest-required

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jsafrane, liouk

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [jsafrane]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jsafrane]

/test help

[jsafrane]

/test smb-operator-e2e
/verified cancel

[openshift-ci-robot]

@jsafrane: The /verified command must be used with one of the following actions: by, later, remove, or bypass. See https://docs.ci.openshift.org/docs/architecture/jira/#premerge-verification for more information.

Details

In response to this:

/test smb-operator-e2e
/verified cancel

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[jsafrane]

/verified remove
checking SMB CI

[openshift-ci-robot]

@jsafrane: The verified label has been removed.

Details

In response to this:

/verified remove
checking SMB CI

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[jsafrane]

/verified by CI
no regressions found by efs and smb jobs, the operator is able to run as restricted-v2.

[openshift-ci-robot]

@jsafrane: This PR has been marked as verified by CI.

Details

In response to this:

/verified by CI
no regressions found by efs and smb jobs, the operator is able to run as restricted-v2.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD ad5643a and 2 for PR HEAD a7bcd01 in total

[liouk]

/retest-required

[openshift-ci]

@liouk: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/aws-efs-operator-e2e	a7bcd01	link	true	/test aws-efs-operator-e2e

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[liouk]

aws-efs-operator-e2e failing due to the image tag ocp_5.0_base-rhel10 missing from the CI registry. Will wait before retesting.