Feat/add scc howto

[mysekai7]

Summary by CodeRabbit

• Documentation
  • Added a comprehensive guide for applying OpenShift-style SecurityContextConstraints on Kubernetes: example SCC profiles, admission enforcement setup, safe rollout (Warn → Fix → Deny), verification steps, end-user workflows for binding SCCs to service accounts/users/groups, ways to pin SCCs on pods, troubleshooting guidance, and an optional policy exception pattern.

[coderabbitai]

Warning

Rate limit exceeded

@mysekai7 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 25 minutes and 23 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6a87dd40-6f14-4440-b30e-c1680f70895d

📥 Commits

Reviewing files that changed from the base of the PR and between c54e9f5 and 6e963e2.

📒 Files selected for processing (1)

• docs/en/security/security_and_compliance/compliance/howto/security_context_constraints.md

Walkthrough

Adds a how‑to for OpenShift-style SecurityContextConstraints on Kubernetes: CRD, 13 example SCC profiles, Kyverno enforcement with caching and RBAC reader binding, mutating/validating policies, rollout/verification steps, binding workflows, troubleshooting, and reference material.

Changes

SCC Implementation Guide

Layer / File(s)	Summary
Purpose and architecture overview docs/en/security/.../security_context_constraints.md lines 1–61	Introduces the guide's purpose, SCC model, and overall architecture: CRD, RBAC bindings, Kyverno mutating/validating policies, and GlobalContextEntry caching.
CRD definition and built-in SCC profiles docs/en/security/.../security_context_constraints.md lines 62–966	Defines the SecurityContextConstraints CRD with schema/validations and printer columns, and provides 13 example SCC profiles (restricted/nonroot/hostNetwork/anyuid/privileged variants) with apply and verification instructions.
Enforcement: caches, RBAC reader, and Kyverno policies docs/en/security/.../security_context_constraints.md lines 967–1907	Adds five GlobalContextEntry caches, the kyverno-scc-reader ClusterRole/Binding (including pods/ephemeralcontainers), the scc-auto-pick ValidatingPolicy (selection and deny logic, alauda.io/required-scc support), and scc-fill-defaults MutatingPolicy (records alauda.io/scc, fills runAsUser, seccompProfile, allowPrivilegeEscalation).
Binding workflow and pinning docs/en/security/.../security_context_constraints.md lines 1909–2134	Describes RBAC binding examples for ServiceAccounts/Users/Groups (including optional labeling and synthesized groups), controller/PodTemplate usage, and pinning a specific SCC via alauda.io/required-scc with its constraints.
Verification and rollout guidance docs/en/security/.../security_context_constraints.md lines 2135–2167	Rollout guidance (Warn → Fix → Deny), readiness checks for CRDs/policies/caches, and verification steps for authorization (kubectl auth can-i) and admission outcomes (alauda.io/scc annotation).
Results checklist, troubleshooting, and learn more docs/en/security/.../security_context_constraints.md lines 2168–2246	Results checklist, troubleshooting table mapping symptoms to causes and remediations, PolicyException bypass pattern, SCC selection ranking rules, OpenShift-to-kubectl RBAC translations, and next operational steps including latency monitoring.

Sequence Diagram

sequenceDiagram
  participant Pod as PodAdmissionRequest
  participant Kyverno as Kyverno (mutating/validating policies)
  participant Caches as GlobalContextEntry caches (SCC, RBAC lookups)
  participant K8sAPI as Kubernetes API (CRD & RBAC)

  Pod->>Kyverno: admission request (create/update Pod)
  Kyverno->>Caches: query SCC and RBAC caches
  Caches->>K8sAPI: fetch CRD/RBAC objects as needed
  K8sAPI->>Caches: return SCC/Role/Binding results
  Caches->>Kyverno: resolved SCCs & access grants
  Kyverno->>Kyverno: apply scc-fill-defaults (mutate) / evaluate scc-auto-pick (validate)
  Kyverno->>Pod: admit (with alauda.io/scc) or deny

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 In patches of docs I softly cheer,

CRDs, policies, and caches near,
Kyverno threads the SCC seam,
Bindings hum and audits gleam,
A rabbit hops—secure cluster, clear!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'Feat/add scc howto' is related to the changeset but is vague and uses abbreviations without clarity. While it references 'scc' and 'howto', it lacks specificity about what SecurityContextConstraints functionality is being documented.	Use a more descriptive title like 'Add SecurityContextConstraints implementation guide for Kyverno' to clearly convey what the documentation covers.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/add_scc_howto

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@docs/en/security/security_and_compliance/compliance/howto/security_context_constraints.md`:
- Around line 1162-1168: The prose describing skipped namespaces is out of sync
with the policy expression that checks request.namespace (e.g.,
request.namespace.startsWith('kube-'), request.namespace.startsWith('cpaas-'),
request.namespace.startsWith('alauda-'), request.namespace == 'kyverno',
request.namespace == 'cattle-system', request.namespace == 'operators',
request.namespace == 'default'); reconcile them by either updating the
human-readable paragraph to list all skipped namespaces/prefixes (kube-*,
cpaas-*, alauda-*, kyverno, cattle-system, operators, default) or by removing
the extra checks (cpaas-*, alauda-*, operators) from the policy expression so
the prose and the policy match; pick the intended behavior and make the
corresponding change in the explanatory text or the policy expression.
- Around line 742-744: The doc incorrectly implies pods will pick the most
restrictive SCC, but the current example and values (anyuid with priority: 10,
restrictiveScore: 60 and restricted-v2) cause selection to favor priority over
restrictiveness; update the text in Step 2.2 and any referenced examples
(mentions of anyuid, restricted-v2, priority, restrictiveScore) to either (a)
change the numeric priority/restrictiveScore values so the example demonstrates
the “most restrictive acceptable” outcome, or (b) explicitly state that priority
takes precedence over restrictiveScore and adjust the narrative and example to
reflect that behavior.
- Around line 2004-2005: The sentence about ClusterRoleBinding is misleading:
change the wording so it states that a ClusterRoleBinding binds a single
namespaced ServiceAccount subject (formatted as
system:serviceaccount:<namespace>:<name>) and grants that ServiceAccount
cluster-wide permissions; replace "cover the ServiceAccount across all
namespaces" with a phrase like "grant a ServiceAccount cluster-wide permissions"
and add a short clarifying note contrasting this with a namespaced RoleBinding.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: bf8cf3d0-2b79-4af0-8ef6-17ec63992e45

📥 Commits

Reviewing files that changed from the base of the PR and between 243557f and a549a78.

📒 Files selected for processing (1)

• docs/en/security/security_and_compliance/compliance/howto/security_context_constraints.md

[cloudflare-workers-and-pages]

Deploying alauda-container-platform with    Cloudflare Pages

Latest commit:	6e963e2
Status:	✅  Deploy successful!
Preview URL:	https://21ce129f.alauda-container-platform.pages.dev
Branch Preview URL:	https://feat-add-scc-howto.alauda-container-platform.pages.dev

View logs

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@docs/en/security/security_and_compliance/compliance/howto/security_context_constraints.md`:
- Line 1937: The example text stating the image "runs as root (UID 999)" is
incorrect; update the sentence referencing the ServiceAccount
`databases/postgres-sa` so it correctly states the image runs as root with UID 0
(e.g., change "runs as root (UID 999)" to "runs as root (UID 0)") to avoid
misleading SCC selection guidance.
- Line 965: Update the sentence that says "You should see all 13 profiles listed
with their `Priority`, `Score`, and `PSA` columns populated" because the CRD
shown in this document does not define a `PSA` printerColumn; either remove
`PSA` from the expected columns in that `kubectl get scc` verification text or
explicitly add guidance to modify the CRD to include a `PSA` printerColumn.
Refer to the `kubectl get scc` expectation and the CRD definition in the doc
when making the change (adjust the verification text or the CRD's printerColumns
accordingly).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8c073c45-cbad-4a00-a9fb-050396dba7a0

📥 Commits

Reviewing files that changed from the base of the PR and between a549a78 and c54e9f5.

📒 Files selected for processing (1)

• docs/en/security/security_and_compliance/compliance/howto/security_context_constraints.md