Allow for configuring default container/pod SecurityContext in CheCluster CR #22307
Labels
area/che-operator
Issues and PRs related to Eclipse Che Kubernetes Operator
kind/enhancement
A feature request - must adhere to the feature request template.
severity/P1
Has a major impact to usage or development of the system.
Is your enhancement related to a problem? Please describe
Currently, there is no way to set the default pod security context or container security context used by workspaces from the Che Cluster CR.
if Che users want to configure the default pod security context or container security context used by workspaces, they have to modify the Che-owned DWOC and set the [corresponding fields](pod security context or container security context used by workspaces) there. However, Che-Operator will automatically configure the
Describe the solution you'd like
It'd be better to allow for configuring the default pod security context or container security context used by workspaces through the Che Cluster CR.
When the
containerSecurityContext
orpodSecurityContext
is configured in the Che Cluster CR, we have to make sure it doesn't have any problematic interactions with the container-build SCC ifdisableContainerBuildCapabilities
is set tofalse
(i.e. when container builds are enabled). For instance, it would be invalid to setallowPrivilegeEscalation: false
through the containerSecurityContext when container builds are enabled.IIRC:
Describe alternatives you've considered
The podSecurityContext field
config.workspace.podSecurityContext
can be set by user in the Che-owned DWOC to set a default pod security context to be used by workspaces. However, the Che-Operator will automatically configure the containerSecurityContext fieldconfig.workspace.containerSecurityContext
, so there is no workaround for configuring the default workspace container security context.Additional context
Downstream issue
The text was updated successfully, but these errors were encountered: