fix(sandbox): add missing PodSecurity restricted:latest fields

[jrangelramos]

Summary

• Fix sandbox pods failing with PodSecurity restricted:latest violation
  in openshift-* namespaces (the default enforcement on OpenShift 4.x)
• Add runAsNonRoot: true and seccompProfile: RuntimeDefault at pod
  and container level in both PodSpecBuilder and SandboxTemplate bootstrap
• Aligns with the existing compliant pattern in controller/console/reconciler.go

Test plan

• Deploy operator on an OpenShift cluster with restricted:latest enforcement
• Create a Proposal and trigger analysis — sandbox pod should start successfully
• Verify pod and container security contexts with oc get pod -o yaml
• Confirm console plugin pods are unaffected (no changes to that path)

🤖 Generated with Claude Code

Co-Authored-By: Claude Opus 4.6 noreply@anthropic.com

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: ca66ab8f-bf1f-41ff-a50e-1eb712a5034b

📥 Commits

Reviewing files that changed from the base of the PR and between 4f45950 and 2a90c8b.

📒 Files selected for processing (2)

• controller/proposal/podspec_builder.go
• controller/sandbox/bootstrap.go

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift/lightspeed-agentic-sandbox (manual)

---

📝 Walkthrough

Summary by CodeRabbit

Release Notes

• Bug Fixes
  • Pods now enforce non-root execution and apply default seccomp profiles to enhance security across all generated pod configurations.

Walkthrough

Two code paths that construct pod specs now include a pod-level security context setting runAsNonRoot: true and seccomp profile type RuntimeDefault: the typed PodSpecBuilder.Build in podspec_builder.go and the unstructured SandboxTemplate spec in bootstrap.go.

Changes

Pod Security Context

Layer / File(s)	Summary
Pod-level security context in PodSpecBuilder and SandboxTemplate controller/proposal/podspec_builder.go, controller/sandbox/bootstrap.go	PodSpecBuilder.Build sets PodSecurityContext with RunAsNonRoot: true and seccomp profile RuntimeDefault. The unstructured SandboxTemplate bootstrap spec gains an identical securityContext block under the pod template spec.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: adding missing Pod Security restricted:latest fields to sandbox pods, which is the core fix across both modified files.
Description check	✅ Passed	The description is directly related to the changeset, explaining the PodSecurity violation fix and detailing the security context additions (runAsNonRoot: true and seccompProfile: RuntimeDefault) implemented in both files.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign joshuawilson for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign joshuawilson for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jhadvig]

@jrangelramos nice catch on the missing PSA fields 👍

One nit.... the container-level runAsNonRoot and seccompProfile are redundant, pod-level security context is inherited by all containers, so setting them in both places is unnecessary duplication.

The console plugin pattern you reference (controller/console/reconciler.go:162-176) only sets these at pod level and keeps the container-level context to just allowPrivilegeEscalation + drop ALL capabilities. Might be worth matching that exactly to keep things consistent.

Not a blocker, just cleaner.

[openshift-ci]

@jrangelramos: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.