rancher · brandond · Nov 23, 2023 · Aug 24, 2023 · Aug 25, 2023 · Aug 30, 2023
diff --git a/oryxBuildBinary b/oryxBuildBinary
diff --git a/pkg/apis/upgrade.cattle.io/v1/types.go b/pkg/apis/upgrade.cattle.io/v1/types.go
@@ -60,12 +60,13 @@ type PlanStatus struct {
 
 // ContainerSpec is a simplified container template.
 type ContainerSpec struct {
-	Image   string                 `json:"image,omitempty"`
-	Command []string               `json:"command,omitempty"`
-	Args    []string               `json:"args,omitempty"`
-	Env     []corev1.EnvVar        `json:"envs,omitempty"`
-	EnvFrom []corev1.EnvFromSource `json:"envFrom,omitempty"`
-	Volumes []VolumeSpec           `json:"volumes,omitempty"`
+	Image           string                  `json:"image,omitempty"`
+	Command         []string                `json:"command,omitempty"`
+	Args            []string                `json:"args,omitempty"`
+	Env             []corev1.EnvVar         `json:"envs,omitempty"`
+	EnvFrom         []corev1.EnvFromSource  `json:"envFrom,omitempty"`
+	Volumes         []VolumeSpec            `json:"volumes,omitempty"`
+	SecurityContext *corev1.SecurityContext `json:"securityContext,omitempty"`
 }
 
 type VolumeSpec struct {

diff --git a/pkg/apis/upgrade.cattle.io/v1/zz_generated_deepcopy.go b/pkg/apis/upgrade.cattle.io/v1/zz_generated_deepcopy.go
diff --git a/pkg/upgrade/job/job.go b/pkg/upgrade/job/job.go
@@ -245,6 +245,7 @@ func New(plan *upgradeapiv1.Plan, node *corev1.Node, controllerName string) *bat
 				upgradectr.WithPlanEnvironment(plan.Name, plan.Status),
 				upgradectr.WithImagePullPolicy(ImagePullPolicy),
 				upgradectr.WithVolumes(plan.Spec.Upgrade.Volumes),
+				upgradectr.WithSecurityContext(plan.Spec.Upgrade.SecurityContext),
 			),
 		)
 	}
@@ -319,18 +320,28 @@ func New(plan *upgradeapiv1.Plan, node *corev1.Node, controllerName string) *bat
 		)
 	}
 
+	// Check if SecurityContext from the Plan is non-nil
+	securityContext := &corev1.SecurityContext{
+		Privileged: &Privileged,
+		Capabilities: &corev1.Capabilities{
+			Add: []corev1.Capability{
+				corev1.Capability("CAP_SYS_BOOT"),
+			},
+		},
+	}
+	if plan.Spec.Upgrade.SecurityContext != nil {
+		securityContext = plan.Spec.Upgrade.SecurityContext
+	}
+
+	if plan.Spec.Upgrade.SecurityContext.SELinuxOptions != nil {
+		securityContext.SELinuxOptions = plan.Spec.Upgrade.SecurityContext.SELinuxOptions
+	}
+
 	// and finally, we upgrade
 	podTemplate.Spec.Containers = []corev1.Container{
 		upgradectr.New("upgrade", *plan.Spec.Upgrade,
 			upgradectr.WithLatestTag(plan.Status.LatestVersion),
-			upgradectr.WithSecurityContext(&corev1.SecurityContext{
-				Privileged: &Privileged,
-				Capabilities: &corev1.Capabilities{
-					Add: []corev1.Capability{
-						corev1.Capability("CAP_SYS_BOOT"),
-					},
-				},
-			}),
+			upgradectr.WithSecurityContext(securityContext),
 			upgradectr.WithSecrets(plan.Spec.Secrets),
 			upgradectr.WithPlanEnvironment(plan.Name, plan.Status),
 			upgradectr.WithImagePullPolicy(ImagePullPolicy),