Problem
When doing a physical/PITR restore, the operator adds an init container named pbm-init in updateStatefulSetForPhysicalRestore (physical.go). That container is created via EntrypointInitContainer() and is never assigned a SecurityContext. So, the container fails to come up in namespaces which are PSA restricted.
Solution
The ideal fix per my understanding would be to allow specifying CSP in EntrypointInitContainer func but the current conventions in the code-base suggests setting / mutating the CSP post creation from the above func. For e.g. the current other consumer of the above func is this init container call here and it sets the CSP by mutating the container object returned by EntrypointInitContainer
P.S. Happy to contribute. I had another issue which I wanted to get a patch through for but I'm currently awaiting internal approval for the proceedings.
Problem
When doing a physical/PITR restore, the operator adds an init container named
pbm-initin updateStatefulSetForPhysicalRestore (physical.go). That container is created via EntrypointInitContainer() and is never assigned aSecurityContext. So, the container fails to come up in namespaces which are PSA restricted.Solution
The ideal fix per my understanding would be to allow specifying CSP in
EntrypointInitContainerfunc but the current conventions in the code-base suggests setting / mutating the CSP post creation from the above func. For e.g. the current other consumer of the above func is this init container call here and it sets the CSP by mutating the container object returned byEntrypointInitContainerP.S. Happy to contribute. I had another issue which I wanted to get a patch through for but I'm currently awaiting internal approval for the proceedings.