fix: configure security context for pods with pvc

[osmman]

Summary by Sourcery

Standardize security contexts for operator-managed pods by introducing a generic PodSecurityContext ensure function, removing legacy OpenShift-specific SCC logic, and applying consistent security defaults across Trillian, TUF, and Rekor workloads.

Enhancements:

• Add ensure.PodSecurityContext to apply non-root, FSGroup, and seccomp defaults to any PodSpec
• Remove GetOpenshiftPodSecurityContextRestricted and related OpenShift-specific imports and fallbacks
• Apply the new PodSecurityContext mutator to Trillian DB deployments, TUF deployments and init jobs, and Rekor statefulsets and deployments

Tests:

• Update TUF e2e test to assert PodSecurityContext is set on the init job

[sourcery-ai]

Reviewer's Guide

This PR centralizes pod security context configuration by introducing a generic helper that enforces run-as-non-root, disables privilege escalation, applies a default FSGroup for non-OpenShift clusters, and sets the runtime-default seccomp profile; it removes the legacy OpenShift-specific logic and updates all operator-managed workloads (Trillian DB, TUF deployments and init jobs, Rekor server and statefulset) to use the new helper, as well as adjusts the e2e TUF test to verify the security context.

Sequence diagram for applying PodSecurityContext to operator-managed workloads

sequenceDiagram
    participant Controller
    participant Workload (e.g. Deployment/StatefulSet/Job)
    participant Ensure
    Controller->>Workload: Create or update workload
    Workload->>Ensure: Call PodSecurityContext helper
    Ensure-->>Workload: Apply security context (runAsNonRoot, no privilege escalation, FSGroup, seccomp)
    Workload-->>Controller: Workload created/updated with enforced security context

Loading

Class diagram for PodSecurityContext enforcement changes

classDiagram
    class Ensure {
        +PodSecurityContext(podSpec)
    }
    class Deployment {
        +PodSecurityContext()
    }
    Ensure <|-- Deployment
    Deployment : +PodSecurityContext() calls Ensure.PodSecurityContext
    class TrillianDbDeployment {
        -removed: GetOpenshiftPodSecurityContextRestricted
        +uses: Deployment.PodSecurityContext
    }
    class TufDeployment {
        +uses: Deployment.PodSecurityContext
    }
    class TufInitJob {
        +uses: Ensure.PodSecurityContext
    }
    class RekorServerDeployment {
        +uses: Deployment.PodSecurityContext
    }
    class RekorMonitorStatefulSet {
        +uses: Ensure.PodSecurityContext
    }
    TrillianDbDeployment --> Deployment
    TufDeployment --> Deployment
    TufInitJob --> Ensure
    RekorServerDeployment --> Deployment
    RekorMonitorStatefulSet --> Ensure

Loading

File-Level Changes

Change	Details	Files
Introduce a universal PodSecurityContext helper	Add PodSecurityContext function setting RunAsNonRoot, FSGroup, SeccompProfile, and container security defaults Respect OpenShift by skipping FSGroup and RunAsUser defaults Reuse helper across init containers and main containers	internal/utils/kubernetes/ensure/pod_spec.go
Remove legacy OpenShift-specific security context logic	Delete GetOpenshiftPodSecurityContextRestricted function and related imports Eliminate fallback FSGroup code in common utilities	internal/utils/kubernetes/common.go
Apply generic PodSecurityContext to all operator resources	Replace calls to the removed OpenShift helper with deployment.PodSecurityContext Inject PodSecurityContext for Trillian DB, TUF Deployment, TUF init job, Rekor server Deployment, and Rekor StatefulSet	internal/controller/trillian/actions/db/deployment.go internal/controller/tuf/actions/deployment.go internal/controller/tuf/actions/tuf_init_job.go internal/controller/rekor/actions/server/deployment.go internal/controller/rekor/actions/monitor/statefulset.go
Add wrapper in deployment ensure for PodSecurityContext	Introduce PodSecurityContext helper in ensure/deployment/deployment.go	internal/utils/kubernetes/ensure/deployment/deployment.go
Enhance e2e TUF test to assert security context	Add Expect call to verify PodSecurityContext on TUF init job spec	test/e2e/support/tas/tuf/tuf.go

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey there - I've reviewed your changes - here's some feedback:

• ensure.PodSecurityContext only applies defaults to spec.Containers—consider extending it to initContainers (and other container lists) so all pod containers get consistent security settings.
• Hard-coding runAsUser/runAsGroup to 1001 might clash with some images—consider making these values configurable or deriving them from the pod spec rather than a fixed constant.
• Review the choice to skip setting FSGroup on OpenShift clusters, as PVC-backed pods often need an explicit FSGroup on all platforms to mount volumes correctly.

Prompt for AI Agents

Please address the comments from this code review:
## Overall Comments
- ensure.PodSecurityContext only applies defaults to spec.Containers—consider extending it to initContainers (and other container lists) so all pod containers get consistent security settings.
- Hard-coding runAsUser/runAsGroup to 1001 might clash with some images—consider making these values configurable or deriving them from the pod spec rather than a fixed constant.
- Review the choice to skip setting FSGroup on OpenShift clusters, as PVC-backed pods often need an explicit FSGroup on all platforms to mount volumes correctly.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}