[BUG] baseline pod security standard failures

[ibrokethecloud]

Describe the Bug

VM's using device passthrough (PCIDevices, USB Devices, vGPU devices) fail to start as the pod is rejected by the baseline pod security standard.

This happens because the pcidevices controller injects SYS_RESOURCE capability into the virt-launcher pod.

This is not permitted as per documentation: https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline

The virt-controller pod contains the following error

+ virt-controller-5dd599df-gdskc › virt-controller
virt-controller-5dd599df-gdskc virt-controller {"component":"virt-controller","level":"info","msg":"reenqueuing VirtualMachineInstance default/vf-demo","pos":"vmi.go:253","reason":"failed to create pod for vmi default/vf-demo, it needs a privileged namespace to run: pods \"virt-launcher-vf-demo-xhzlq\" is forbidden: violates PodSecurity \"baseline:latest\": non-default capabilities (container \"compute\" must not include \"SYS_RESOURCE\" in securityContext.capabilities.add)","timestamp":"2025-05-07T03:39:26.162004Z"}

To Reproduce

• label a namespace say default with pod security standard label as follows
  kubectl label --overwrite ns default pod-security.kubernetes.io/enforce=baseline
• provision a VM in default namespace with a device attached
• VM fails to start as the virt-launcher pod is never created

Expected Behavior

Expected the VM to start successfully

Support Bundle for Troubleshooting

Not applicable

Environment

• Harvester version: v1.5.0
• Impacted VM:
• Impacted volume (PV):
• Underlying Infrastructure (e.g., Baremetal with Dell PowerEdge R630):
• Rancher version: N/A

Additional context

No response

Workaround and Mitigation

No response

[harvesterhci-io-github-bot]

added backport-needed/1.5.1 issue: #8219.