Skip to content

Commit 404c827

Browse files
jrangelramosclaude
andcommitted
fix(sandbox): add missing PodSecurity restricted:latest fields
Sandbox pods for analysis/execution fail to start on clusters enforcing the restricted Pod Security Standard (default for openshift-* namespaces). Add runAsNonRoot and seccompProfile at both pod and container level in podspec_builder.go and bootstrap.go, matching the pattern already used by the console plugin reconciler. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1 parent c8d785b commit 404c827

2 files changed

Lines changed: 18 additions & 2 deletions

File tree

controller/proposal/podspec_builder.go

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -51,7 +51,9 @@ func (b *PodSpecBuilder) Build(
5151
}},
5252
SecurityContext: &corev1.SecurityContext{
5353
AllowPrivilegeEscalation: ptr.To(false),
54+
RunAsNonRoot: ptr.To(true),
5455
Capabilities: &corev1.Capabilities{Drop: []corev1.Capability{"ALL"}},
56+
SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault},
5557
},
5658
}
5759

@@ -124,8 +126,12 @@ func (b *PodSpecBuilder) Build(
124126
return &corev1.PodSpec{
125127
ServiceAccountName: serviceAccount,
126128
AutomountServiceAccountToken: ptr.To(true),
127-
Containers: []corev1.Container{container},
128-
Volumes: volumes,
129+
SecurityContext: &corev1.PodSecurityContext{
130+
RunAsNonRoot: ptr.To(true),
131+
SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault},
132+
},
133+
Containers: []corev1.Container{container},
134+
Volumes: volumes,
129135
}, nil
130136
}
131137

controller/sandbox/bootstrap.go

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -103,6 +103,12 @@ func ensureSandboxTemplate(ctx context.Context, c client.Client, image, namespac
103103
"spec": map[string]any{
104104
"serviceAccountName": templateName,
105105
"automountServiceAccountToken": false,
106+
"securityContext": map[string]any{
107+
"runAsNonRoot": true,
108+
"seccompProfile": map[string]any{
109+
"type": "RuntimeDefault",
110+
},
111+
},
106112
"containers": []any{
107113
map[string]any{
108114
"name": "agent",
@@ -116,9 +122,13 @@ func ensureSandboxTemplate(ctx context.Context, c client.Client, image, namespac
116122
},
117123
"securityContext": map[string]any{
118124
"allowPrivilegeEscalation": false,
125+
"runAsNonRoot": true,
119126
"capabilities": map[string]any{
120127
"drop": []any{"ALL"},
121128
},
129+
"seccompProfile": map[string]any{
130+
"type": "RuntimeDefault",
131+
},
122132
},
123133
},
124134
},

0 commit comments

Comments
 (0)