From 9247110d27bf9c43928f0ff014bbf731c7fd37f9 Mon Sep 17 00:00:00 2001 From: Doug Edgar Date: Fri, 12 Sep 2025 13:13:11 -0700 Subject: [PATCH] fix: init pod run perms Signed-off-by: Doug Edgar --- controllers/resource_helper.go | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/controllers/resource_helper.go b/controllers/resource_helper.go index 9a9eb794..d3d5f1ae 100644 --- a/controllers/resource_helper.go +++ b/controllers/resource_helper.go @@ -365,8 +365,8 @@ done`, CABundleTempPath, CABundleSourceDir, fileList) }, }, SecurityContext: &corev1.SecurityContext{ - AllowPrivilegeEscalation: &[]bool{false}[0], - RunAsNonRoot: &[]bool{false}[0], + AllowPrivilegeEscalation: ptr.To(false), + RunAsNonRoot: ptr.To(false), Capabilities: &corev1.Capabilities{ Drop: []corev1.Capability{"ALL"}, }, @@ -446,8 +446,12 @@ func configurePersistentStorage(instance *llamav1alpha1.LlamaStackDistribution, }, }, SecurityContext: &corev1.SecurityContext{ - RunAsUser: ptr.To(int64(0)), // Run as root to be able to change ownership - RunAsGroup: ptr.To(int64(0)), + RunAsUser: ptr.To(int64(0)), // Run as root to be able to change ownership + RunAsGroup: ptr.To(int64(0)), + AllowPrivilegeEscalation: ptr.To(false), + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, }, } @@ -601,6 +605,16 @@ func configurePodOverrides(instance *llamav1alpha1.LlamaStackDistribution, podSp podSpec.ServiceAccountName = instance.Name + "-sa" } + // Configure pod-level security context for OpenShift SCC compatibility + if podSpec.SecurityContext == nil { + podSpec.SecurityContext = &corev1.PodSecurityContext{} + } + + // Set fsGroup to allow write access to mounted volumes + if podSpec.SecurityContext.FSGroup == nil { + podSpec.SecurityContext.FSGroup = ptr.To(int64(0)) + } + // Apply other pod overrides if specified if instance.Spec.Server.PodOverrides != nil { // Add volumes if specified