From 2e7e6981ae0619ec612d8c1ff3bffdd0fe7c3f7e Mon Sep 17 00:00:00 2001
From: Mirah Gary <mirah.gary@broadcom.com>
Date: Wed, 8 Oct 2025 10:57:41 +0200
Subject: [PATCH] Allow overriding container securityContext.

---
 docs/examples/default-security-context/rabbitmq.yaml | 4 +++-
 internal/resource/statefulset.go                     | 7 ++++++-
 internal/resource/statefulset_test.go                | 7 +++++++
 3 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/docs/examples/default-security-context/rabbitmq.yaml b/docs/examples/default-security-context/rabbitmq.yaml
index 539a8ff1c..23752ad6c 100644
--- a/docs/examples/default-security-context/rabbitmq.yaml
+++ b/docs/examples/default-security-context/rabbitmq.yaml
@@ -9,7 +9,9 @@ spec:
         template:
           spec:
             securityContext: {}
-            containers: []
+            containers:
+            - name: rabbitmq
+              securityContext: {}
             initContainers:
             - name: setup-container
               securityContext: {}
diff --git a/internal/resource/statefulset.go b/internal/resource/statefulset.go
index cafc3261d..27d62eb1b 100644
--- a/internal/resource/statefulset.go
+++ b/internal/resource/statefulset.go
@@ -296,7 +296,7 @@ func patchPodSpec(podSpec, podSpecOverride *corev1.PodSpec) (corev1.PodSpec, err
 		patchedPodSpec.Containers[0].ReadinessProbe = rmqContainer.ReadinessProbe
 	}
 
-	// A user may wish to override the controller-set securityContext for the RabbitMQ & init containers so that the
+	// A user may wish to override the controller-set securityContext for the RabbitMQ, init containers, and containers so that the
 	// container runtime can override them. If the securityContext has been set to an empty struct, `strategicpatch.StrategicMergePatch`
 	// won't pick this up, so manually override it here.
 	if podSpecOverride.SecurityContext != nil && reflect.DeepEqual(*podSpecOverride.SecurityContext, corev1.PodSecurityContext{}) {
@@ -307,6 +307,11 @@ func patchPodSpec(podSpec, podSpecOverride *corev1.PodSpec) (corev1.PodSpec, err
 			patchedPodSpec.InitContainers[i].SecurityContext = nil
 		}
 	}
+	for i := range podSpecOverride.Containers {
+		if podSpecOverride.Containers[i].SecurityContext != nil && reflect.DeepEqual(*podSpecOverride.Containers[i].SecurityContext, corev1.SecurityContext{}) {
+			patchedPodSpec.Containers[i].SecurityContext = nil
+		}
+	}
 
 	return patchedPodSpec, nil
 }
diff --git a/internal/resource/statefulset_test.go b/internal/resource/statefulset_test.go
index 878b09f98..bb1b9da30 100644
--- a/internal/resource/statefulset_test.go
+++ b/internal/resource/statefulset_test.go
@@ -2154,6 +2154,12 @@ default_pass = {{ .Data.data.password }}
 											SecurityContext: &corev1.SecurityContext{},
 										},
 									},
+									Containers: []corev1.Container{
+										{
+											Name:            "rabbitmq",
+											SecurityContext: &corev1.SecurityContext{},
+										},
+									},
 								},
 							},
 						},
@@ -2168,6 +2174,7 @@ default_pass = {{ .Data.data.password }}
 
 					Expect(statefulSet.Spec.Template.Spec.SecurityContext).To(BeNil())
 					Expect(statefulSet.Spec.Template.Spec.InitContainers[0].SecurityContext).To(BeNil())
+					Expect(statefulSet.Spec.Template.Spec.Containers[0].SecurityContext).To(BeNil())
 
 				})