percona · hors · Apr 24, 2026 · Mar 13, 2026 · Mar 13, 2026 · Mar 25, 2026
@@ -409,6 +409,9 @@ func (r *ReconcilePerconaServerMongoDBRestore) updateStatefulSetForPhysicalResto
 		cluster.Spec.ImagePullPolicy,
 		cmd,
 	)
+	if cluster.CompareVersion("1.23.0") >= 0 && cluster.Spec.InitContainerSecurityContext != nil {
-	if cluster.CompareVersion("1.23.0") >= 0 && cluster.Spec.InitContainerSecurityContext != nil {
+	if cluster.CompareVersion("1.14.0") >= 0 && cluster.Spec.InitContainerSecurityContext != nil {
-	if cluster.CompareVersion("1.23.0") >= 0 && cluster.Spec.InitContainerSecurityContext != nil {
+	if cluster.CompareVersion("1.14.0") >= 0 && cluster.Spec.InitContainerSecurityContext != nil {
+		pbmInit.SecurityContext = cluster.Spec.InitContainerSecurityContext
+	}
 	sts.Spec.Template.Spec.InitContainers = append(sts.Spec.Template.Spec.InitContainers, pbmInit)
 
 	pbmIdx := -1

@@ -121,3 +121,95 @@ func TestUpdateStatefulSetForPhysicalRestore(t *testing.T) {
 	assert.Equal(t, "PBM_MONGODB_URI", lastEnvVar.Name)
 	assert.Equal(t, expectedURI, lastEnvVar.Value)
 }
+
+func TestUpdateStatefulSetForPhysicalRestoreSecurityContext(t *testing.T) {
+	ctx := context.Background()
+
+	nonRoot := true
+	allowPrivEsc := false
+	cluster := &psmdbv1.PerconaServerMongoDB{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "my-cluster",
+			Namespace: "default",
+		},
+		Spec: psmdbv1.PerconaServerMongoDBSpec{
+			CRVersion: version.Version(),
+			Backup: psmdbv1.BackupSpec{
+				Image: "percona/percona-backup-mongodb:latest",
+			},
+			ImagePullPolicy: corev1.PullIfNotPresent,
+			Secrets: &psmdbv1.SecretsSpec{
+				Users: "users-secret",
+				SSL:   "ssl-secret",
+			},
+			InitContainerSecurityContext: &corev1.SecurityContext{
+				RunAsNonRoot:             &nonRoot,
+				AllowPrivilegeEscalation: &allowPrivEsc,
+			},
+		},
+	}
+
+	sts := &appsv1.StatefulSet{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "my-cluster-rs0",
+			Namespace: "default",
+		},
+		Spec: appsv1.StatefulSetSpec{
+			Selector: &metav1.LabelSelector{
+				MatchLabels: map[string]string{"app": "my-cluster"},
+			},
+			Template: corev1.PodTemplateSpec{
+				ObjectMeta: metav1.ObjectMeta{
+					Labels: map[string]string{"app": "my-cluster"},
+				},
+				Spec: corev1.PodSpec{
+					Containers: []corev1.Container{
+						{
+							Name:  "mongod",
+							Image: "percona/percona-server-mongodb:latest",
+						},
+						{
+							Name:  naming.ContainerBackupAgent,
+							Image: "percona/percona-backup-agent:latest",
+						},
+					},
+				},
+			},
+		},
+	}
+
+	secretTLS := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      cluster.Spec.Secrets.SSL,
+			Namespace: cluster.Namespace,
+		},
+		Data: map[string][]byte{
+			"ca.crt":  {},
+			"tls.crt": {},
+			"tls.key": {},
+		},
+	}
+
+	r := fakeReconciler(cluster, sts, secretTLS)
+	namespacedName := types.NamespacedName{
+		Name:      sts.Name,
+		Namespace: sts.Namespace,
+	}
+
+	err := r.updateStatefulSetForPhysicalRestore(ctx, cluster, namespacedName, 27017)
+	assert.NoError(t, err)
+
+	updatedSTS := &appsv1.StatefulSet{}
+	err = r.client.Get(ctx, namespacedName, updatedSTS)
+	assert.NoError(t, err)
+
+	var pbmInit *corev1.Container
+	for i := range updatedSTS.Spec.Template.Spec.InitContainers {
+		if updatedSTS.Spec.Template.Spec.InitContainers[i].Name == "pbm-init" {
+			pbmInit = &updatedSTS.Spec.Template.Spec.InitContainers[i]
+			break
+		}
+	}
+	assert.NotNil(t, pbmInit)
+	assert.Equal(t, cluster.Spec.InitContainerSecurityContext, pbmInit.SecurityContext)
+}