OCPBUGS-65807: SCC: allow image volume type for all SCCs

[haircommander]

image volume should be safe for all, because the user could just package the image volume into their image itself at build time anyway.

[openshift-ci-robot]

@haircommander: This pull request references Jira Issue OCPBUGS-65807, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.21.0) matches configured target version for branch (4.21.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @mrniranjan

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

image volume should be safe for all, because the user could just package the image volume into their image itself at build time anyway.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

This PR adds a new "image" volume entry to the volumes list across 12 SecurityContextConstraints manifest files in the kube-apiserver-operator directory, allowing image volumes as a permitted volume source in multiple SCC configurations.

Changes

Cohort / File(s)	Summary
Add image volume to SCC manifests bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_scc-*.yaml (12 files: anyuid, hostaccess, hostmount-anyuid, hostmount-anyuid-v2, hostnetwork, hostnetwork-v2, nested-container, nonroot, nonroot-v2, restricted, restricted-v2, restricted-v3)	Adds a new "image" volume entry to the volumes list in each SecurityContextConstraints manifest, expanding the set of allowed volume types.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Verify consistency of the "image" volume entry across all 12 SCC manifests
• Confirm the placement and formatting of the new volume entry in each YAML file are correct
• Consider whether the security implications of allowing image volumes are intentional and documented

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between d3e707d and 79795a6.

📒 Files selected for processing (12)

• bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_scc-anyuid.yaml (1 hunks)
• bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_scc-hostaccess.yaml (1 hunks)
• bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_scc-hostmount-anyuid-v2.yaml (1 hunks)
• bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_scc-hostmount-anyuid.yaml (1 hunks)
• bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_scc-hostnetwork-v2.yaml (1 hunks)
• bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_scc-hostnetwork.yaml (1 hunks)
• bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_scc-nested-container.yaml (1 hunks)
• bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_scc-nonroot-v2.yaml (1 hunks)
• bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_scc-nonroot.yaml (1 hunks)
• bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_scc-restricted-v2.yaml (1 hunks)
• bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_scc-restricted-v3.yaml (1 hunks)
• bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_scc-restricted.yaml (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_scc-nonroot-v2.yaml
• bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_scc-nested-container.yaml
• bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_scc-hostmount-anyuid-v2.yaml
• bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_scc-hostaccess.yaml
• bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_scc-hostnetwork.yaml
• bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_scc-restricted-v3.yaml
• bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_scc-restricted-v2.yaml
• bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_scc-hostnetwork-v2.yaml
• bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_scc-anyuid.yaml
• bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_scc-restricted.yaml
• bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_scc-hostmount-anyuid.yaml
• bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_scc-nonroot.yaml

🔇 Additional comments (12)

bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_scc-hostnetwork.yaml (1)

39-48: Volume list correctly updated with alphabetical ordering.

The "image" volume entry is properly positioned in alphabetical order between "ephemeral" and "persistentVolumeClaim". YAML formatting is consistent with existing entries.

bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_scc-nonroot.yaml (1)

39-48: Volume list update consistent with other SCC manifests.

The "image" entry is properly added in alphabetical order. Formatting aligns with the established pattern across SCC manifests.

bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_scc-nonroot-v2.yaml (1)

42-51: Change follows established pattern across SCC manifests.

The "image" volume is correctly positioned in alphabetical order within the volumes list.

bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_scc-anyuid.yaml (1)

36-45: Properly integrated into consistent volume list pattern.

The "image" entry maintains alphabetical ordering alongside other volume types in the anyuid SCC.

bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_scc-nested-container.yaml (1)

53-62: Consistent with SCC-wide update pattern.

The "image" volume is correctly added in alphabetical order within the nested-container SCC manifest.

bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_scc-hostnetwork-v2.yaml (1)

41-50: Properly positioned in alphabetical order.

The "image" volume addition follows the established pattern across all SCC manifests in this PR.

bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_scc-restricted-v3.yaml (1)

53-62: Consistent alphabetical ordering maintained.

The "image" volume is correctly added to restricted-v3 SCC, maintaining the established pattern from other SCC manifests.

bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_scc-hostmount-anyuid.yaml (1)

39-50: Properly positioned for this SCC's unique volume set.

The "image" volume is correctly placed between "ephemeral" and "nfs" in alphabetical order. This SCC's inclusion of "hostPath" and "nfs" volumes (lines 45, 47) creates a different ordering than other SCCs, but the "image" entry maintains correct alphabetical positioning.

bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_scc-restricted-v2.yaml (1)

47-47: Image volume addition is properly positioned and consistent.

The "image" volume type is correctly inserted in alphabetical order within the volumes list for the restricted-v2 SCC.

bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_scc-hostmount-anyuid-v2.yaml (1)

44-44: Image volume addition is properly positioned in alphabetical order.

The "image" volume type is correctly inserted between "hostPath" and "nfs" in the volumes list.

bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_scc-restricted.yaml (1)

44-44: Image volume addition is properly positioned in alphabetical order.

The "image" volume type is correctly inserted in the volumes list of the restricted SCC.

bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_scc-hostaccess.yaml (1)

47-47: Image volume addition is properly positioned in alphabetical order.

The "image" volume type is correctly inserted in the volumes list of the hostaccess SCC.

Tip

📝 Customizable high-level summaries are now available in beta!

You can now customize how CodeRabbit generates the high-level summary in your pull requests — including its content, structure, tone, and formatting.

• Provide your own instructions using the high_level_summary_instructions setting.
• Format the summary however you like (bullet lists, tables, multi-section layouts, contributor stats, etc.).
• Use high_level_summary_in_walkthrough to move the summary from the description to the walkthrough section.

Example instruction:

"Divide the high-level summary into five sections:

1. 📝 Description — Summarize the main change in 50–60 words, explaining what was done.
2. 📓 References — List relevant issues, discussions, documentation, or related PRs.
3. 📦 Dependencies & Requirements — Mention any new/updated dependencies, environment variable changes, or configuration updates.
4. 📊 Contributor Summary — Include a Markdown table showing contributions:
   | Contributor | Lines Added | Lines Removed | Files Changed |
5. ✔️ Additional Notes — Add any extra reviewer context.
   Keep each section concise (under 200 words) and use bullet or numbered lists for clarity."

Note: This feature is currently in beta for Pro-tier users, and pricing will be announced later.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[haircommander]

/cherry-pick release-4.20

[openshift-cherrypick-robot]

@haircommander: once the present PR merges, I will cherry-pick it on top of release-4.20 in a new PR and assign it to you.

Details

In response to this:

/cherry-pick release-4.20

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[benluddy]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: benluddy, haircommander

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [benluddy]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[haircommander]

/cherry-pick release-4.21

[openshift-cherrypick-robot]

@haircommander: once the present PR merges, I will cherry-pick it on top of release-4.21 in a new PR and assign it to you.

Details

In response to this:

/cherry-pick release-4.21

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[haircommander]

/test images

[haircommander]

launched with cluster bot launch 4.21,openshift/cluster-kube-apiserver-operator#1968 gcp

[pehunt@fedora ~]
 $ oc describe scc | grep image
  Allowed Volume Types:                         configMap,csi,downwardAPI,emptyDir,ephemeral,image,persistentVolumeClaim,projected,secret
  Allowed Volume Types:                         configMap,csi,downwardAPI,emptyDir,ephemeral,hostPath,image,persistentVolumeClaim,projected,secret
  Allowed Volume Types:                         configMap,csi,downwardAPI,emptyDir,ephemeral,hostPath,image,nfs,persistentVolumeClaim,projected,secret
  Allowed Volume Types:                         configMap,csi,downwardAPI,emptyDir,ephemeral,hostPath,image,nfs,persistentVolumeClaim,projected,secret
  Allowed Volume Types:                         configMap,csi,downwardAPI,emptyDir,ephemeral,image,persistentVolumeClaim,projected,secret
  Allowed Volume Types:                         configMap,csi,downwardAPI,emptyDir,ephemeral,image,persistentVolumeClaim,projected,secret
  Allowed Volume Types:                         configMap,csi,downwardAPI,emptyDir,ephemeral,image,persistentVolumeClaim,projected,secret
  Allowed Volume Types:                         configMap,csi,downwardAPI,emptyDir,ephemeral,image,persistentVolumeClaim,projected,secret
  Allowed Volume Types:                         configMap,csi,downwardAPI,emptyDir,ephemeral,image,persistentVolumeClaim,projected,secret
  Allowed Volume Types:                         configMap,csi,downwardAPI,emptyDir,ephemeral,image,persistentVolumeClaim,projected,secret
  Allowed Volume Types:                         configMap,csi,downwardAPI,emptyDir,ephemeral,image,persistentVolumeClaim,projected,secret
  Allowed Volume Types:                         configMap,csi,downwardAPI,emptyDir,ephemeral,image,persistentVolumeClaim,projected,secret

/verified by @haircommander

[openshift-ci-robot]

@haircommander: This PR has been marked as verified by @haircommander.

Details

In response to this:

launched with cluster bot launch 4.21,openshift/cluster-kube-apiserver-operator#1968 gcp

[pehunt@fedora ~]
$ oc describe scc | grep image
 Allowed Volume Types:                         configMap,csi,downwardAPI,emptyDir,ephemeral,image,persistentVolumeClaim,projected,secret
 Allowed Volume Types:                         configMap,csi,downwardAPI,emptyDir,ephemeral,hostPath,image,persistentVolumeClaim,projected,secret
 Allowed Volume Types:                         configMap,csi,downwardAPI,emptyDir,ephemeral,hostPath,image,nfs,persistentVolumeClaim,projected,secret
 Allowed Volume Types:                         configMap,csi,downwardAPI,emptyDir,ephemeral,hostPath,image,nfs,persistentVolumeClaim,projected,secret
 Allowed Volume Types:                         configMap,csi,downwardAPI,emptyDir,ephemeral,image,persistentVolumeClaim,projected,secret
 Allowed Volume Types:                         configMap,csi,downwardAPI,emptyDir,ephemeral,image,persistentVolumeClaim,projected,secret
 Allowed Volume Types:                         configMap,csi,downwardAPI,emptyDir,ephemeral,image,persistentVolumeClaim,projected,secret
 Allowed Volume Types:                         configMap,csi,downwardAPI,emptyDir,ephemeral,image,persistentVolumeClaim,projected,secret
 Allowed Volume Types:                         configMap,csi,downwardAPI,emptyDir,ephemeral,image,persistentVolumeClaim,projected,secret
 Allowed Volume Types:                         configMap,csi,downwardAPI,emptyDir,ephemeral,image,persistentVolumeClaim,projected,secret
 Allowed Volume Types:                         configMap,csi,downwardAPI,emptyDir,ephemeral,image,persistentVolumeClaim,projected,secret
 Allowed Volume Types:                         configMap,csi,downwardAPI,emptyDir,ephemeral,image,persistentVolumeClaim,projected,secret

/verified by @haircommander

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@haircommander: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci-robot]

@haircommander: Jira Issue Verification Checks: Jira Issue OCPBUGS-65807
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-65807 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

Details

In response to this:

image volume should be safe for all, because the user could just package the image volume into their image itself at build time anyway.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-cherrypick-robot]

@haircommander: new pull request created: #2006

Details

In response to this:

/cherry-pick release-4.20

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-cherrypick-robot]

@haircommander: new pull request created: #2007

Details

In response to this:

/cherry-pick release-4.21

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-merge-robot]

Fix included in accepted release 4.22.0-0.nightly-2026-01-21-145520