From 2a90c8b4b3b0551f5ca6706edbf992ef125025a7 Mon Sep 17 00:00:00 2001 From: Jefferson Ramos Date: Tue, 16 Jun 2026 23:22:36 -0300 Subject: [PATCH] fix(sandbox): add missing PodSecurity restricted:latest fields Sandbox pods for analysis/execution fail to start on clusters enforcing the restricted Pod Security Standard (default for openshift-* namespaces). Add runAsNonRoot and seccompProfile at both pod and container level in podspec_builder.go and bootstrap.go, matching the pattern already used by the console plugin reconciler. Co-Authored-By: Claude Opus 4.6 --- controller/proposal/podspec_builder.go | 8 ++++++-- controller/sandbox/bootstrap.go | 6 ++++++ 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/controller/proposal/podspec_builder.go b/controller/proposal/podspec_builder.go index fedac89..f61c2f1 100644 --- a/controller/proposal/podspec_builder.go +++ b/controller/proposal/podspec_builder.go @@ -124,8 +124,12 @@ func (b *PodSpecBuilder) Build( return &corev1.PodSpec{ ServiceAccountName: serviceAccount, AutomountServiceAccountToken: ptr.To(true), - Containers: []corev1.Container{container}, - Volumes: volumes, + SecurityContext: &corev1.PodSecurityContext{ + RunAsNonRoot: ptr.To(true), + SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault}, + }, + Containers: []corev1.Container{container}, + Volumes: volumes, }, nil } diff --git a/controller/sandbox/bootstrap.go b/controller/sandbox/bootstrap.go index dbe364c..a1311f1 100644 --- a/controller/sandbox/bootstrap.go +++ b/controller/sandbox/bootstrap.go @@ -103,6 +103,12 @@ func ensureSandboxTemplate(ctx context.Context, c client.Client, image, namespac "spec": map[string]any{ "serviceAccountName": templateName, "automountServiceAccountToken": false, + "securityContext": map[string]any{ + "runAsNonRoot": true, + "seccompProfile": map[string]any{ + "type": "RuntimeDefault", + }, + }, "containers": []any{ map[string]any{ "name": "agent",