From 2dec6f9325a945b14291e299773e5d291b1605dc Mon Sep 17 00:00:00 2001
From: Ronaldo Campos <ronaldo.romanello@gmail.com>
Date: Wed, 5 Nov 2025 22:07:28 +0000
Subject: [PATCH] Missing SCC Role bindings for redis and api-server

---
 ...curity-context-constraint-rolebinding.yaml |  8 +++++++
 .../security/test_scc_rolebinding.py          | 24 +++++++++++--------
 2 files changed, 22 insertions(+), 10 deletions(-)

diff --git a/chart/templates/rbac/security-context-constraint-rolebinding.yaml b/chart/templates/rbac/security-context-constraint-rolebinding.yaml
index 3a070a38b479c..869798013af83 100644
--- a/chart/templates/rbac/security-context-constraint-rolebinding.yaml
+++ b/chart/templates/rbac/security-context-constraint-rolebinding.yaml
@@ -71,6 +71,9 @@ subjects:
   - kind: ServiceAccount
     name: {{ include "scheduler.serviceAccountName" . }}
     namespace: "{{ .Release.Namespace }}"
+  - kind: ServiceAccount
+    name: {{ include "apiServer.serviceAccountName" . }}
+    namespace: "{{ .Release.Namespace }}"
   {{- if and .Values.statsd.enabled }}
   - kind: ServiceAccount
     name: {{ include "statsd.serviceAccountName" . }}
@@ -81,6 +84,11 @@ subjects:
     name: {{ include "flower.serviceAccountName" . }}
     namespace: "{{ .Release.Namespace }}"
   {{- end }}
+  {{- if .Values.redis.enabled }}
+  - kind: ServiceAccount
+    name: {{ include "redis.serviceAccountName" . }}
+    namespace: "{{ .Release.Namespace }}"
+  {{- end }}
   {{- if and (semverCompare ">=2.2.0" .Values.airflowVersion) }}
   - kind: ServiceAccount
     name: {{ include "triggerer.serviceAccountName" . }}
diff --git a/helm-tests/tests/helm_tests/security/test_scc_rolebinding.py b/helm-tests/tests/helm_tests/security/test_scc_rolebinding.py
index 76e7b7d2183d1..ac4ff8d078949 100644
--- a/helm-tests/tests/helm_tests/security/test_scc_rolebinding.py
+++ b/helm-tests/tests/helm_tests/security/test_scc_rolebinding.py
@@ -55,13 +55,15 @@ def test_create_scc(self, rbac_enabled, scc_enabled, created):
             assert jmespath.search("subjects[0].name", docs[0]) == "release-name-airflow-webserver"
             assert jmespath.search("subjects[1].name", docs[0]) == "release-name-airflow-worker"
             assert jmespath.search("subjects[2].name", docs[0]) == "release-name-airflow-scheduler"
-            assert jmespath.search("subjects[3].name", docs[0]) == "release-name-airflow-statsd"
-            assert jmespath.search("subjects[4].name", docs[0]) == "release-name-airflow-flower"
-            assert jmespath.search("subjects[5].name", docs[0]) == "release-name-airflow-triggerer"
-            assert jmespath.search("subjects[6].name", docs[0]) == "release-name-airflow-migrate-database-job"
-            assert jmespath.search("subjects[7].name", docs[0]) == "release-name-airflow-create-user-job"
-            assert jmespath.search("subjects[8].name", docs[0]) == "release-name-airflow-cleanup"
-            assert jmespath.search("subjects[9].name", docs[0]) == "release-name-airflow-dag-processor"
+            assert jmespath.search("subjects[3].name", docs[0]) == "release-name-airflow-api-server"
+            assert jmespath.search("subjects[4].name", docs[0]) == "release-name-airflow-statsd"
+            assert jmespath.search("subjects[5].name", docs[0]) == "release-name-airflow-flower"
+            assert jmespath.search("subjects[6].name", docs[0]) == "release-name-airflow-redis"
+            assert jmespath.search("subjects[7].name", docs[0]) == "release-name-airflow-triggerer"
+            assert jmespath.search("subjects[8].name", docs[0]) == "release-name-airflow-migrate-database-job"
+            assert jmespath.search("subjects[9].name", docs[0]) == "release-name-airflow-create-user-job"
+            assert jmespath.search("subjects[10].name", docs[0]) == "release-name-airflow-cleanup"
+            assert jmespath.search("subjects[11].name", docs[0]) == "release-name-airflow-dag-processor"
 
     @pytest.mark.parametrize(
         "rbac_enabled,scc_enabled,created,namespace,expected_name",
@@ -118,6 +120,8 @@ def test_create_scc_worker_only(self, rbac_enabled, scc_enabled, created):
             assert jmespath.search("subjects[0].name", docs[0]) == "release-name-airflow-webserver"
             assert jmespath.search("subjects[1].name", docs[0]) == "release-name-airflow-worker"
             assert jmespath.search("subjects[2].name", docs[0]) == "release-name-airflow-scheduler"
-            assert jmespath.search("subjects[3].name", docs[0]) == "release-name-airflow-triggerer"
-            assert jmespath.search("subjects[4].name", docs[0]) == "release-name-airflow-migrate-database-job"
-            assert len(docs[0]["subjects"]) == 5
+            assert jmespath.search("subjects[3].name", docs[0]) == "release-name-airflow-api-server"
+            assert jmespath.search("subjects[4].name", docs[0]) == "release-name-airflow-redis"
+            assert jmespath.search("subjects[5].name", docs[0]) == "release-name-airflow-triggerer"
+            assert jmespath.search("subjects[6].name", docs[0]) == "release-name-airflow-migrate-database-job"
+            assert len(docs[0]["subjects"]) == 7