disable scc.podSecurityLabelSync on the addon-operator namespace to prevent broad SCCs and CRBs from downgrading the pod-security labels in this namespace

[erdii]

What type of PR is this?

(bug/feature/cleanup/documentation/test/refactor)

What this PR does / why we need it?

Which Jira/Github issue(s) this PR fixes?

Fixes #

Special notes for your reviewer:

Pre-checks (if applicable):

• Tested latest changes against a cluster
• Ran make go-test command locally to run all the unit tests and mock tests locally.
• Included documentation changes with PR

Summary by CodeRabbit

• Chores
  • Updated namespace configuration to disable automatic pod security label synchronization. This infrastructure change modifies how security policies are applied to containers and affects the overall security compliance state of the namespace. Associated documentation updates and remediation references have been included to support operations and compliance requirements.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: de834835-a7be-467b-a61c-bbd1705bacbc

📥 Commits

Reviewing files that changed from the base of the PR and between d2df6fc and 0067c8e.

📒 Files selected for processing (1)

• deploy_pko/Namespace-openshift-addon-operator.yaml

---

Walkthrough

A Kubernetes Namespace manifest for the OpenShift addon operator is updated to disable automatic SCC pod security label synchronization by toggling the security.openshift.io/scc.podSecurityLabelSync label from "true" to "false", with an inline comment added referencing a remediation issue.

Changes

Cohort / File(s)	Summary
Kubernetes Configuration deploy_pko/Namespace-openshift-addon-operator.yaml	Updated security.openshift.io/scc.podSecurityLabelSync label from "true" to "false" to disable automatic SCC pod security label synchronization. Inline comment added referencing remediation issue.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and clearly describes the main change: disabling scc.podSecurityLabelSync on the addon-operator namespace and its purpose of preventing pod-security label downgrades.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The custom check regarding stable and deterministic Ginkgo test names is not applicable to this pull request. The PR only modifies a Kubernetes manifest file, not test files.
Test Structure And Quality	✅ Passed	The custom check for Test Structure and Quality is not applicable to this PR as only a Kubernetes manifest file was modified with no test-related changes.
Microshift Test Compatibility	✅ Passed	PR only modifies Kubernetes manifest configuration file, not Ginkgo e2e tests. MicroShift Test Compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR does not add any new Ginkgo e2e tests, only modifies a Kubernetes manifest file. Custom check for SNO compatibility is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	Pull request modifies only Kubernetes Namespace manifest, setting security label to disable pod security label synchronization without introducing scheduling constraints.
Ote Binary Stdout Contract	✅ Passed	This PR exclusively modifies a Kubernetes YAML manifest file, changing a namespace label value and adding an inline comment. No Go source files, binary entry points, or logging operations were modified, so there are no OTE Binary Stdout Contract violations.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR modifies only a Kubernetes Namespace manifest file, toggling a label value and adding a comment. The custom check applies exclusively when new Ginkgo e2e tests are added. Since this PR contains no test code additions, the check is not applicable.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch disable-ps-namespace-sync

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 59.24%. Comparing base (d2df6fc) to head (0067c8e).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #719   +/-   ##
=======================================
  Coverage   59.24%   59.24%           
=======================================
  Files          62       62           
  Lines        4125     4125           
=======================================
  Hits         2444     2444           
  Misses       1532     1532           
  Partials      149      149           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: eqrx, erdii

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [eqrx,erdii]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@erdii: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.