Add restrictive security context to registry pod and init containers#7040
Add restrictive security context to registry pod and init containers#7040kaovilai wants to merge 1 commit intooperator-framework:masterfrom
Conversation
kaovilai
force-pushed
the
secContextInitContainer
branch
from
79fd63e to
e9a876b
Compare
There was a problem hiding this comment.
Pull request overview
This PR enhances security by applying restrictive security contexts to init containers in the FBC registry pod, addressing issue #7039. Previously, only the main container received the restrictive security context when the --security-context-config=restricted flag was used.
Changes:
- Refactored security context creation into a reusable variable
- Added security context application to all init containers in the FBC registry pod
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| // Update all init containers with the same restrictive security context | ||
| for i := range f.pod.Spec.InitContainers { | ||
| f.pod.Spec.InitContainers[i].SecurityContext = restrictedSecurityContext | ||
| } |
There was a problem hiding this comment.
The new functionality that applies the restrictive security context to init containers lacks test coverage. The test file fbc_registry_pod_test.go has comprehensive tests for other functionality but does not verify that init containers receive the security context when SecurityContext is set to 'restricted'. Consider adding a test case that creates an FBCRegistryPod with SecurityContext: 'restricted' and verifies that both the main container and init containers have the expected security context settings.
There was a problem hiding this comment.
@kaovilai Would you mind adding a test for this?
|
Those with similar issue and cannot wait for this PR can copy openshift/oadp-operator#2078 |
|
@kaovilai Could you rebase this pr? |
Fixes operator-framework#7039 Signed-off-by: Tiger Kaovilai <passawit.kaovilai@gmail.com> Add changelog fragment for init container security context fix Signed-off-by: Tiger Kaovilai <passawit.kaovilai@gmail.com> Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
kaovilai
force-pushed
the
secContextInitContainer
branch
from
e9a876b to
5daef89
Compare
|
dun dun dun! |
Fixes #7039
Signed-off-by: Tiger Kaovilai passawit.kaovilai@gmail.com
Description of the change:
Motivation for the change:
Checklist
If the pull request includes user-facing changes, extra documentation is required:
changelog/fragments(seechangelog/fragments/00-template.yaml)website/content/en/docs