OCPBUGS-77004: scc: restricted-v3: Fix runAsUser range

[tchap]

Issue

restricted-v3 is made for user namespaces, which require UID to be between 1000 and 65534. Yet:

 message: 'pods "sleep-94cf4ff7d-" is forbidden: unable to validate against any
        security context constraint: provider restricted-v3: .containers[0].runAsUser:
        Invalid value: 1000: must be in the ranges: [1000740000, 1000749999]'

Fix

runAsUser does not use ranges.min and ranges.max,
rather the right keys are uidRangeMin and uidRangeMax.

$ k explain scc.runAsUser     
GROUP:      security.openshift.io
KIND:       SecurityContextConstraints
VERSION:    v1

FIELD: runAsUser <RunAsUserStrategyOptions>


DESCRIPTION:
    RunAsUser is the strategy that will dictate what RunAsUser is used in the
    SecurityContext.
    RunAsUserStrategyOptions defines the strategy type and any options used to
    create the strategy.
    
FIELDS:
  type  <string>
    Type is the strategy that will dictate what RunAsUser is used in the
    SecurityContext.

  uid   <integer>
    UID is the user id that containers must run as.  Required for the MustRunAs
    strategy if not using namespace/service account allocated uids.

  uidRangeMax   <integer>
    UIDRangeMax defines the max value for a strategy that allocates by range.

  uidRangeMin   <integer>
    UIDRangeMin defines the min value for a strategy that allocates by range.

Testing

Tested this manually on a ClusterBot cluster.

[openshift-ci-robot]

@tchap: This pull request references CNTRLPLANE-1544 which is a valid jira issue.

Details

In response to this:

runAsUser does not use ranges.min and ranges.max,
rather the right keys are uidRangeMin and uidRangeMax.

$ k explain scc.runAsUser     
GROUP:      security.openshift.io
KIND:       SecurityContextConstraints
VERSION:    v1

FIELD: runAsUser <RunAsUserStrategyOptions>


DESCRIPTION:
   RunAsUser is the strategy that will dictate what RunAsUser is used in the
   SecurityContext.
   RunAsUserStrategyOptions defines the strategy type and any options used to
   create the strategy.
   
FIELDS:
 type  <string>
   Type is the strategy that will dictate what RunAsUser is used in the
   SecurityContext.

 uid   <integer>
   UID is the user id that containers must run as.  Required for the MustRunAs
   strategy if not using namespace/service account allocated uids.

 uidRangeMax   <integer>
   UIDRangeMax defines the max value for a strategy that allocates by range.

 uidRangeMin   <integer>
   UIDRangeMin defines the min value for a strategy that allocates by range.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

Updates a Kubernetes Security Context Constraint (SCC) manifest file to replace the runAsUser.ranges format with explicit uidRangeMin and uidRangeMax fields (values 1000 and 65534). Other SCC settings remain unchanged; only the UID range specification syntax is modernized.

Changes

Cohort / File(s)	Change Summary
SCC Manifest UID Range Format Update bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_scc-restricted-v3.yaml	Replaces runAsUser.ranges block with explicit uidRangeMin: 1000 and uidRangeMax: 65534 fields under MustRunAsRange policy. Other SCC fields preserved.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The pull request title "CNTRLPLANE-1544: scc: restricted-v3: Fix runAsUser range" directly and clearly summarizes the main change in the changeset. The raw summary confirms the change is replacing the runAsUser.ranges block with the correct fields uidRangeMin and uidRangeMax, which is precisely what the title communicates as "Fix runAsUser range." The title is concise, specific, and leaves no ambiguity about the primary purpose of the changeset.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.
Description Check	✅ Passed	The pull request description directly addresses the changeset by explaining that the runAsUser field in the restricted-v3 SCC manifest needs to use uidRangeMin and uidRangeMax instead of ranges.min and ranges.max. The description provides context for the issue (user namespace requirements with UIDs 1000-65534), reproduces the validation error demonstrating the problem, includes kubectl documentation showing the correct field names, and notes manual testing was performed. This is clearly related to the actual change being made in the manifest file.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@tchap: This pull request references CNTRLPLANE-1544 which is a valid jira issue.

Details

In response to this:

runAsUser does not use ranges.min and ranges.max,
rather the right keys are uidRangeMin and uidRangeMax.

$ k explain scc.runAsUser     
GROUP:      security.openshift.io
KIND:       SecurityContextConstraints
VERSION:    v1

FIELD: runAsUser <RunAsUserStrategyOptions>


DESCRIPTION:
   RunAsUser is the strategy that will dictate what RunAsUser is used in the
   SecurityContext.
   RunAsUserStrategyOptions defines the strategy type and any options used to
   create the strategy.
   
FIELDS:
 type  <string>
   Type is the strategy that will dictate what RunAsUser is used in the
   SecurityContext.

 uid   <integer>
   UID is the user id that containers must run as.  Required for the MustRunAs
   strategy if not using namespace/service account allocated uids.

 uidRangeMax   <integer>
   UIDRangeMax defines the max value for a strategy that allocates by range.

 uidRangeMin   <integer>
   UIDRangeMin defines the min value for a strategy that allocates by range.

Tested this manually on a ClusterBot cluster.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@tchap: This pull request references CNTRLPLANE-1544 which is a valid jira issue.

Details

In response to this:

runAsUser does not use ranges.min and ranges.max,
rather the right keys are uidRangeMin and uidRangeMax.

$ k explain scc.runAsUser     
GROUP:      security.openshift.io
KIND:       SecurityContextConstraints
VERSION:    v1

FIELD: runAsUser <RunAsUserStrategyOptions>


DESCRIPTION:
   RunAsUser is the strategy that will dictate what RunAsUser is used in the
   SecurityContext.
   RunAsUserStrategyOptions defines the strategy type and any options used to
   create the strategy.
   
FIELDS:
 type  <string>
   Type is the strategy that will dictate what RunAsUser is used in the
   SecurityContext.

 uid   <integer>
   UID is the user id that containers must run as.  Required for the MustRunAs
   strategy if not using namespace/service account allocated uids.

 uidRangeMax   <integer>
   UIDRangeMax defines the max value for a strategy that allocates by range.

 uidRangeMin   <integer>
   UIDRangeMin defines the min value for a strategy that allocates by range.

Tested this manually on a ClusterBot cluster.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@tchap: This pull request references CNTRLPLANE-1544 which is a valid jira issue.

Details

In response to this:

Issue

restricted-v3 is made for user namespaces, which requires UID to be between 1000 and 65534. Yet:

message: 'pods "sleep-94cf4ff7d-" is forbidden: unable to validate against any
       security context constraint: provider restricted-v3: .containers[0].runAsUser:
       Invalid value: 1000: must be in the ranges: [1000740000, 1000749999]'

Fix

runAsUser does not use ranges.min and ranges.max,
rather the right keys are uidRangeMin and uidRangeMax.

$ k explain scc.runAsUser     
GROUP:      security.openshift.io
KIND:       SecurityContextConstraints
VERSION:    v1

FIELD: runAsUser <RunAsUserStrategyOptions>


DESCRIPTION:
   RunAsUser is the strategy that will dictate what RunAsUser is used in the
   SecurityContext.
   RunAsUserStrategyOptions defines the strategy type and any options used to
   create the strategy.
   
FIELDS:
 type  <string>
   Type is the strategy that will dictate what RunAsUser is used in the
   SecurityContext.

 uid   <integer>
   UID is the user id that containers must run as.  Required for the MustRunAs
   strategy if not using namespace/service account allocated uids.

 uidRangeMax   <integer>
   UIDRangeMax defines the max value for a strategy that allocates by range.

 uidRangeMin   <integer>
   UIDRangeMin defines the min value for a strategy that allocates by range.

Testing

Tested this manually on a ClusterBot cluster.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@tchap: This pull request references CNTRLPLANE-1544 which is a valid jira issue.

Details

In response to this:

Issue

restricted-v3 is made for user namespaces, which require UID to be between 1000 and 65534. Yet:

message: 'pods "sleep-94cf4ff7d-" is forbidden: unable to validate against any
       security context constraint: provider restricted-v3: .containers[0].runAsUser:
       Invalid value: 1000: must be in the ranges: [1000740000, 1000749999]'

Fix

runAsUser does not use ranges.min and ranges.max,
rather the right keys are uidRangeMin and uidRangeMax.

$ k explain scc.runAsUser     
GROUP:      security.openshift.io
KIND:       SecurityContextConstraints
VERSION:    v1

FIELD: runAsUser <RunAsUserStrategyOptions>


DESCRIPTION:
   RunAsUser is the strategy that will dictate what RunAsUser is used in the
   SecurityContext.
   RunAsUserStrategyOptions defines the strategy type and any options used to
   create the strategy.
   
FIELDS:
 type  <string>
   Type is the strategy that will dictate what RunAsUser is used in the
   SecurityContext.

 uid   <integer>
   UID is the user id that containers must run as.  Required for the MustRunAs
   strategy if not using namespace/service account allocated uids.

 uidRangeMax   <integer>
   UIDRangeMax defines the max value for a strategy that allocates by range.

 uidRangeMin   <integer>
   UIDRangeMin defines the min value for a strategy that allocates by range.

Testing

Tested this manually on a ClusterBot cluster.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[tchap]

/retest

[haircommander]

/lgtm
/cherry-pick release-4.20

[openshift-cherrypick-robot]

@haircommander: once the present PR merges, I will cherry-pick it on top of release-4.20 in a new PR and assign it to you.

Details

In response to this:

/lgtm
/cherry-pick release-4.20

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: haircommander, sanchezl, tchap

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [sanchezl]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[tchap]

/retest

[tchap]

/retest-required

[tchap]

/verified by @tchap

Tested this manually on a cluster.

[openshift-ci-robot]

@tchap: This PR has been marked as verified by @tchap.

Details

In response to this:

/verified by @tchap

Tested this manually on a cluster.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@tchap: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/okd-scos-e2e-aws-ovn	3be0d2b	link	false	/test okd-scos-e2e-aws-ovn

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-cherrypick-robot]

@haircommander: new pull request created: #1948

Details

In response to this:

/lgtm
/cherry-pick release-4.20

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[tchap]

/retitle OCPBUGS-77004: scc: restricted-v3: Fix runAsUser range

[openshift-ci-robot]

@tchap: Jira Issue Verification Checks: Jira Issue OCPBUGS-77004
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-77004 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

Details

In response to this:

Issue

restricted-v3 is made for user namespaces, which require UID to be between 1000 and 65534. Yet:

message: 'pods "sleep-94cf4ff7d-" is forbidden: unable to validate against any
       security context constraint: provider restricted-v3: .containers[0].runAsUser:
       Invalid value: 1000: must be in the ranges: [1000740000, 1000749999]'

Fix

runAsUser does not use ranges.min and ranges.max,
rather the right keys are uidRangeMin and uidRangeMax.

$ k explain scc.runAsUser     
GROUP:      security.openshift.io
KIND:       SecurityContextConstraints
VERSION:    v1

FIELD: runAsUser <RunAsUserStrategyOptions>


DESCRIPTION:
   RunAsUser is the strategy that will dictate what RunAsUser is used in the
   SecurityContext.
   RunAsUserStrategyOptions defines the strategy type and any options used to
   create the strategy.
   
FIELDS:
 type  <string>
   Type is the strategy that will dictate what RunAsUser is used in the
   SecurityContext.

 uid   <integer>
   UID is the user id that containers must run as.  Required for the MustRunAs
   strategy if not using namespace/service account allocated uids.

 uidRangeMax   <integer>
   UIDRangeMax defines the max value for a strategy that allocates by range.

 uidRangeMin   <integer>
   UIDRangeMin defines the min value for a strategy that allocates by range.

Testing

Tested this manually on a ClusterBot cluster.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.