the 'ephemeral' permission under 'volumes' is not added to the restricted-v2 scc when upgrading from 4.11.43 -> 4.12.40    

    4.11.43 -> 4.12.40

    100%, fresh install

    1. Install OpenShift 4.11.43
    2. Check restricted-v2 scc permissions:

~~~
$ oc get scc restricted-v2 -o yaml
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: false
allowPrivilegedContainer: false
allowedCapabilities:

NET_BIND_SERVICE
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
type: MustRunAs
groups: []
kind: SecurityContextConstraints
metadata:
annotations:
include.release.openshift.io/ibm-cloud-managed: "true"
include.release.openshift.io/self-managed-high-availability: "true"
include.release.openshift.io/single-node-developer: "true"
kubernetes.io/description: restricted-v2 denies access to all host features and
requires pods to be run with a UID, and SELinux context that are allocated to
the namespace. This is the most restrictive SCC and it is used by default for
authenticated users. On top of the legacy 'restricted' SCC, it also requires
to drop ALL capabilities and does not allow privilege escalation binaries. It
will also default the seccomp profile to runtime/default if unset, otherwise
this seccomp profile is required.
creationTimestamp: "2024-02-29T17:55:21Z"
generation: 1
name: restricted-v2
ownerReferences: apiVersion: config.openshift.io/v1
kind: ClusterVersion
name: version
uid: 982bb000-3c27-41ff-b1c1-19f40d15e143
resourceVersion: "1788"
uid: 9e2cb8a3-2b96-4d30-85b3-675339df0c61
priority: null
readOnlyRootFilesystem: false
requiredDropCapabilities: ALL
runAsUser:
type: MustRunAsRange
seLinuxContext:
type: MustRunAs
seccompProfiles: runtime/default
supplementalGroups:
type: RunAsAny
users: []
volumes: configMap downwardAPI emptyDir persistentVolumeClaim projected secret
~~~ 

   3. Upgrade to OpenShift 4.12.40, check permissions, still the same (missing ephemeral)    
   4. Install OpenShift 4.12.40, check permissions: (ephemeral is added under volumes)

 $ oc get scc restricted-v2 -o yaml
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: false
allowPrivilegedContainer: false
allowedCapabilities:
NET_BIND_SERVICE
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
type: MustRunAs
groups: []
kind: SecurityContextConstraints
metadata:
annotations:
include.release.openshift.io/ibm-cloud-managed: "true"
include.release.openshift.io/self-managed-high-availability: "true"
include.release.openshift.io/single-node-developer: "true"
kubernetes.io/description: restricted-v2 denies access to all host features and
requires pods to be run with a UID, and SELinux context that are allocated to
the namespace. This is the most restrictive SCC and it is used by default for
authenticated users. On top of the legacy 'restricted' SCC, it also requires
to drop ALL capabilities and does not allow privilege escalation binaries. It
will also default the seccomp profile to runtime/default if unset, otherwise
this seccomp profile is required.
creationTimestamp: "2024-02-29T18:36:57Z"
generation: 1
name: restricted-v2
ownerReferences: apiVersion: config.openshift.io/v1
kind: ClusterVersion
name: version
uid: 706d1d4c-0e5c-4a65-abd7-a5958b1c3afc
resourceVersion: "1751"
uid: 7fc011ca-e710-4e49-be42-ddd2ca28314a
priority: null
readOnlyRootFilesystem: false
requiredDropCapabilities: ALL
runAsUser:
type: MustRunAsRange
seLinuxContext:
type: MustRunAs
seccompProfiles: runtime/default
supplementalGroups:
type: RunAsAny
users: []
volumes: configMap 
downward
API 
emptyDir 
ephemeral <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
persistentVolumeClaim
projected
secret

See above    

Expecting scc to update