WIP: CNTRLPLANE-3386: Required scc annotation checker updates

pkg/monitortests/authentication/requiredsccmonitortests/monitortest.go

@@ -37,38 +37,7 @@ var nonStandardSCCNamespaces = map[string]sets.Set[string]{
 	"machine-api-termination-handler": sets.New("openshift-machine-api"),
 }
 
-// namespacesWithPendingSCCPinning includes namespaces with workloads that have pending SCC pinning.
-var namespacesWithPendingSCCPinning = sets.NewString(
-	"openshift-cluster-csi-drivers",
-	"openshift-image-registry",
-	"openshift-ingress",
-	"openshift-insights",
-	"openshift-machine-api",
-	// run-level namespaces
-	"openshift-cloud-controller-manager",
-	"openshift-cloud-controller-manager-operator",
-	"openshift-cluster-api",
-	"openshift-cluster-machine-approver",
-	"openshift-dns",
-	"openshift-dns-operator",
-	"openshift-etcd",
-	"openshift-etcd-operator",
-	"openshift-kube-apiserver",
-	"openshift-kube-apiserver-operator",
-	"openshift-kube-controller-manager",
-	"openshift-kube-controller-manager-operator",
-	"openshift-kube-proxy",
-	"openshift-kube-scheduler",
-	"openshift-kube-scheduler-operator",
-	"openshift-multus",
-	"openshift-network-operator",
-	"openshift-ovn-kubernetes",
-	"openshift-sdn",
-	"openshift-storage",
-)
-
-// systemNamespaces includes namespaces that should be treated as flaking.
-// these namespaces are included because we don't control their creation or labeling on their creation.
+// systemNamespaces are skipped because we don't control their creation or labeling.
 var systemNamespaces = sets.NewString(
 	"default",
 	"kube-system",
@@ -112,15 +81,7 @@ func (w *requiredSCCAnnotationChecker) CollectData(ctx context.Context, storageD
 
 	junits := []*junitapi.JUnitTestCase{}
 	for _, ns := range namespaces.Items {
-		// skip managed service namespaces
-		if exutil.ManagedServiceNamespaces.Has(ns.Name) {
-			continue
-		}
-
-		// require that all workloads in openshift, kube-*, or default namespaces must have the required-scc annotation
-		// ignore openshift-must-gather-* namespaces which are generated dynamically
-		isPermanentOpenShiftNamespace := (ns.Name == "openshift" || strings.HasPrefix(ns.Name, "openshift-")) && !strings.HasPrefix(ns.Name, "openshift-must-gather-")
-		if !strings.HasPrefix(ns.Name, "kube-") && ns.Name != "default" && !isPermanentOpenShiftNamespace {
+		if shouldSkipNamespace(&ns) {
 			continue
 		}
 
@@ -188,14 +149,6 @@ func (w *requiredSCCAnnotationChecker) CollectData(ctx context.Context, storageD
 				SystemOut:     failureMsg,
 				FailureOutput: &junitapi.FailureOutput{Output: failureMsg},
 			})
-
-		// add a successful test with the same name to cause a flake if the namespace should be flaking
-		if namespacesWithPendingSCCPinning.Has(ns.Name) || systemNamespaces.Has(ns.Name) {
-			junits = append(junits,
-				&junitapi.JUnitTestCase{
-					Name: testName,
-				})
-		}
 	}
 
 	return nil, junits, nil
@@ -217,6 +170,21 @@ func (w *requiredSCCAnnotationChecker) Cleanup(ctx context.Context) error {
 	return nil
 }
 
+func shouldSkipNamespace(ns *v1.Namespace) bool {
+	if exutil.ManagedServiceNamespaces.Has(ns.Name) {
+		return true
+	}
+	if systemNamespaces.Has(ns.Name) {
+		return true
+	}
+	if _, hasRunLevel := ns.Labels["openshift.io/run-level"]; hasRunLevel {
+		return true
+	}
+	if !strings.HasPrefix(ns.Name, "openshift-") || strings.HasPrefix(ns.Name, "openshift-must-gather-") {
+		return true
+	}
+	return false
+}
 func ownerReferences(pod *v1.Pod) string {
 	ownerRefs := make([]string, len(pod.OwnerReferences))
 	for i, or := range pod.OwnerReferences {