From c6bff2dec095a87ae4dc2ea7dbecd8b192a35cd1 Mon Sep 17 00:00:00 2001
From: Ilias Rinis <irinis@redhat.com>
Date: Tue, 23 Jun 2026 10:37:45 +0200
Subject: [PATCH 1/2] required-scc-annotation-checker: Ignore run-level
 namespaces from the required-scc requirement

---
 .../requiredsccmonitortests/monitortest.go    | 26 ++++---------------
 1 file changed, 5 insertions(+), 21 deletions(-)

diff --git a/pkg/monitortests/authentication/requiredsccmonitortests/monitortest.go b/pkg/monitortests/authentication/requiredsccmonitortests/monitortest.go
index 763f0f6a8271..efcededeb4c5 100644
--- a/pkg/monitortests/authentication/requiredsccmonitortests/monitortest.go
+++ b/pkg/monitortests/authentication/requiredsccmonitortests/monitortest.go
@@ -44,27 +44,6 @@ var namespacesWithPendingSCCPinning = sets.NewString(
 	"openshift-ingress",
 	"openshift-insights",
 	"openshift-machine-api",
-	// run-level namespaces
-	"openshift-cloud-controller-manager",
-	"openshift-cloud-controller-manager-operator",
-	"openshift-cluster-api",
-	"openshift-cluster-machine-approver",
-	"openshift-dns",
-	"openshift-dns-operator",
-	"openshift-etcd",
-	"openshift-etcd-operator",
-	"openshift-kube-apiserver",
-	"openshift-kube-apiserver-operator",
-	"openshift-kube-controller-manager",
-	"openshift-kube-controller-manager-operator",
-	"openshift-kube-proxy",
-	"openshift-kube-scheduler",
-	"openshift-kube-scheduler-operator",
-	"openshift-multus",
-	"openshift-network-operator",
-	"openshift-ovn-kubernetes",
-	"openshift-sdn",
-	"openshift-storage",
 )
 
 // systemNamespaces includes namespaces that should be treated as flaking.
@@ -117,6 +96,11 @@ func (w *requiredSCCAnnotationChecker) CollectData(ctx context.Context, storageD
 			continue
 		}
 
+		// skip run-level namespaces; SCC admission does not run on them
+		if _, hasRunLevel := ns.Labels["openshift.io/run-level"]; hasRunLevel {
+			continue
+		}
+
 		// require that all workloads in openshift, kube-*, or default namespaces must have the required-scc annotation
 		// ignore openshift-must-gather-* namespaces which are generated dynamically
 		isPermanentOpenShiftNamespace := (ns.Name == "openshift" || strings.HasPrefix(ns.Name, "openshift-")) && !strings.HasPrefix(ns.Name, "openshift-must-gather-")

From 51eaa6993197f4b16f1bc76962e84f7f3052312c Mon Sep 17 00:00:00 2001
From: Ilias Rinis <irinis@redhat.com>
Date: Tue, 23 Jun 2026 10:48:56 +0200
Subject: [PATCH 2/2] required-scc-annotation-checker: Remove pending
 namespaces, and ignore system namespaces instead of flaking

---
 .../requiredsccmonitortests/monitortest.go    | 50 +++++++------------
 1 file changed, 17 insertions(+), 33 deletions(-)

diff --git a/pkg/monitortests/authentication/requiredsccmonitortests/monitortest.go b/pkg/monitortests/authentication/requiredsccmonitortests/monitortest.go
index efcededeb4c5..61e46d9d1ebc 100644
--- a/pkg/monitortests/authentication/requiredsccmonitortests/monitortest.go
+++ b/pkg/monitortests/authentication/requiredsccmonitortests/monitortest.go
@@ -37,17 +37,7 @@ var nonStandardSCCNamespaces = map[string]sets.Set[string]{
 	"machine-api-termination-handler": sets.New("openshift-machine-api"),
 }
 
-// namespacesWithPendingSCCPinning includes namespaces with workloads that have pending SCC pinning.
-var namespacesWithPendingSCCPinning = sets.NewString(
-	"openshift-cluster-csi-drivers",
-	"openshift-image-registry",
-	"openshift-ingress",
-	"openshift-insights",
-	"openshift-machine-api",
-)
-
-// systemNamespaces includes namespaces that should be treated as flaking.
-// these namespaces are included because we don't control their creation or labeling on their creation.
+// systemNamespaces are skipped because we don't control their creation or labeling.
 var systemNamespaces = sets.NewString(
 	"default",
 	"kube-system",
@@ -91,20 +81,7 @@ func (w *requiredSCCAnnotationChecker) CollectData(ctx context.Context, storageD
 
 	junits := []*junitapi.JUnitTestCase{}
 	for _, ns := range namespaces.Items {
-		// skip managed service namespaces
-		if exutil.ManagedServiceNamespaces.Has(ns.Name) {
-			continue
-		}
-
-		// skip run-level namespaces; SCC admission does not run on them
-		if _, hasRunLevel := ns.Labels["openshift.io/run-level"]; hasRunLevel {
-			continue
-		}
-
-		// require that all workloads in openshift, kube-*, or default namespaces must have the required-scc annotation
-		// ignore openshift-must-gather-* namespaces which are generated dynamically
-		isPermanentOpenShiftNamespace := (ns.Name == "openshift" || strings.HasPrefix(ns.Name, "openshift-")) && !strings.HasPrefix(ns.Name, "openshift-must-gather-")
-		if !strings.HasPrefix(ns.Name, "kube-") && ns.Name != "default" && !isPermanentOpenShiftNamespace {
+		if shouldSkipNamespace(&ns) {
 			continue
 		}
 
@@ -172,14 +149,6 @@ func (w *requiredSCCAnnotationChecker) CollectData(ctx context.Context, storageD
 				SystemOut:     failureMsg,
 				FailureOutput: &junitapi.FailureOutput{Output: failureMsg},
 			})
-
-		// add a successful test with the same name to cause a flake if the namespace should be flaking
-		if namespacesWithPendingSCCPinning.Has(ns.Name) || systemNamespaces.Has(ns.Name) {
-			junits = append(junits,
-				&junitapi.JUnitTestCase{
-					Name: testName,
-				})
-		}
 	}
 
 	return nil, junits, nil
@@ -201,6 +170,21 @@ func (w *requiredSCCAnnotationChecker) Cleanup(ctx context.Context) error {
 	return nil
 }
 
+func shouldSkipNamespace(ns *v1.Namespace) bool {
+	if exutil.ManagedServiceNamespaces.Has(ns.Name) {
+		return true
+	}
+	if systemNamespaces.Has(ns.Name) {
+		return true
+	}
+	if _, hasRunLevel := ns.Labels["openshift.io/run-level"]; hasRunLevel {
+		return true
+	}
+	if !strings.HasPrefix(ns.Name, "openshift-") || strings.HasPrefix(ns.Name, "openshift-must-gather-") {
+		return true
+	}
+	return false
+}
 func ownerReferences(pod *v1.Pod) string {
 	ownerRefs := make([]string, len(pod.OwnerReferences))
 	for i, or := range pod.OwnerReferences {