Skip to content

OCPBUGS-76952: scc: fix uid{Min,Max}Range for nested-container#2053

Open
haircommander wants to merge 1 commit intoopenshift:mainfrom
haircommander:min-range
Open

OCPBUGS-76952: scc: fix uid{Min,Max}Range for nested-container#2053
haircommander wants to merge 1 commit intoopenshift:mainfrom
haircommander:min-range

Conversation

@haircommander
Copy link
Member

@haircommander haircommander commented Feb 23, 2026
edited by coderabbitai bot
Loading

SOMEONE (I) misread the API and used the one for SupplementalGroupPolicy instead of uid range

Summary by CodeRabbit

  • Chores
    • Updated internal security configuration structure to use a standardized format for specifying allowed user ID ranges.

@haircommander
scc: fix uid{Min,Max}Range for nested-container
d22154c 
SOMEONE (I) misread the API and used the one for SupplementalGroupPolicy instead of
uid range

Signed-off-by: Peter Hunt <pehunt@redhat.com>
@openshift-ci-robot openshift-ci-robot added jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. labels Feb 23, 2026
@openshift-ci-robot
Copy link

openshift-ci-robot commented Feb 23, 2026

@haircommander: This pull request references Jira Issue OCPBUGS-76952, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.22.0) matches configured target version for branch (4.22.0)
  • bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @wangke19

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

SOMEONE (I) misread the API and used the one for SupplementalGroupPolicy instead of uid range

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested a review from wangke19 February 23, 2026 17:21
@coderabbitai
Copy link

coderabbitai bot commented Feb 23, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between cee7acb and d22154c.

📒 Files selected for processing (1)
  • bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_scc-nested-container.yaml

Walkthrough

Updates the SecurityContextConstraints YAML manifest to use direct uidRangeMin and uidRangeMax fields instead of a nested ranges structure for specifying allowed UID ranges.

Changes

Cohort / File(s) Summary
Kubernetes SCC Configuration
bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_scc-nested-container.yaml		 Updated runAsUser field format from nested ranges array (min/max) to direct uidRangeMin/uidRangeMax fields.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and specifically describes the main change: fixing the uid range field names in the SCC (SecurityContextConstraints) for nested-container configuration.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Stable And Deterministic Test Names ✅ Passed PR contains only YAML manifest files with no test definitions or test code, making this test name check not applicable.
Test Structure And Quality ✅ Passed This PR modifies only YAML configuration files (SecurityContextConstraints manifest), not test code, so the custom check for test code quality is not applicable.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Tip

Issue Planner is now in beta. Read the docs and try it out! Share your feedback on Discord.

Comment @coderabbitai help to get the list of available commands and usage tips.

@openshift-ci-robot
Copy link

openshift-ci-robot commented Feb 23, 2026

@haircommander: This pull request references Jira Issue OCPBUGS-76952, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.22.0) matches configured target version for branch (4.22.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @wangke19

Details

In response to this:

SOMEONE (I) misread the API and used the one for SupplementalGroupPolicy instead of uid range

Summary by CodeRabbit

  • Chores
  • Updated internal security configuration structure to use a standardized format for specifying allowed user ID ranges.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@haircommander
Copy link
Member Author

haircommander commented Feb 23, 2026

/retest

@benluddy
Copy link
Contributor

benluddy commented Feb 23, 2026

/approve

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 23, 2026
@tchap
Copy link
Contributor

tchap commented Mar 17, 2026

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Mar 17, 2026
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Mar 17, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: benluddy, haircommander, tchap

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Mar 23, 2026

@haircommander: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wangke19 wangke19 Awaiting requested review from wangke19

@benluddy benluddy Awaiting requested review from benluddy

@p0lyn0mial p0lyn0mial Awaiting requested review from p0lyn0mial

Assignees

@tchap tchap

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@haircommander @openshift-ci-robot @benluddy @tchap