stacklok / toolhive / 27711103421

67%

Build Type

push

github

Committed by web-flow

Commit Message

Make Kubernetes security contexts satisfy restricted PSS (#5555)

* Make K8s security contexts satisfy restricted PSS

The pod and container security contexts built by SecurityContextBuilder
only set seccompProfile and dropped all capabilities on the OpenShift
code path. On standard Kubernetes these were omitted, making the
contexts incompatible with the restricted Pod Security Standard.

Set seccompProfile=RuntimeDefault on the pod and container contexts and
drop ALL capabilities on the container context unconditionally, so
workloads comply with the restricted standard on every platform. The
OpenShift branch now only nulls out user/group for SCC assignment.

Closes #5546

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* Tighten security context tests after review

Address review feedback on the restricted PSS change:
- Update OpenShift test comments that still described seccomp and
  dropped capabilities as platform-specific, though both are now
  applied unconditionally.
- Assert the ApplyConfiguration builders (the path actually applied to
  the cluster) carry RuntimeDefault seccomp and drop ALL on every
  platform.
- Compare the new SeccompProfile and Capabilities fields in the
  consistency test.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Coverage Stats

14 of 14 new or added lines in 1 file covered. (100.0%)

6 existing lines in 1 file now uncovered.

69067 of 103036 relevant lines covered (67.03%)

63.88 hits per line