Merge pull request #1965 from rabbitmq/security-context

MirahImage · web-flow · commit 9957af47a951 · 2025-10-08T17:27:12.000+02:00
Allow overriding container security context.
diff --git a/docs/examples/default-security-context/rabbitmq.yaml b/docs/examples/default-security-context/rabbitmq.yaml
@@ -9,7 +9,9 @@ spec:
         template:
           spec:
             securityContext: {}
-            containers: []
+            containers:
+            - name: rabbitmq
+              securityContext: {}
             initContainers:
             - name: setup-container
               securityContext: {}
diff --git a/internal/resource/statefulset.go b/internal/resource/statefulset.go
@@ -296,7 +296,7 @@ func patchPodSpec(podSpec, podSpecOverride *corev1.PodSpec) (corev1.PodSpec, err
 		patchedPodSpec.Containers[0].ReadinessProbe = rmqContainer.ReadinessProbe
 	}
 
-	// A user may wish to override the controller-set securityContext for the RabbitMQ & init containers so that the
+	// A user may wish to override the controller-set securityContext for the RabbitMQ, init containers, and containers so that the
 	// container runtime can override them. If the securityContext has been set to an empty struct, `strategicpatch.StrategicMergePatch`
 	// won't pick this up, so manually override it here.
 	if podSpecOverride.SecurityContext != nil && reflect.DeepEqual(*podSpecOverride.SecurityContext, corev1.PodSecurityContext{}) {
@@ -307,6 +307,11 @@ func patchPodSpec(podSpec, podSpecOverride *corev1.PodSpec) (corev1.PodSpec, err
 			patchedPodSpec.InitContainers[i].SecurityContext = nil
 		}
 	}
+	for i := range podSpecOverride.Containers {
+		if podSpecOverride.Containers[i].SecurityContext != nil && reflect.DeepEqual(*podSpecOverride.Containers[i].SecurityContext, corev1.SecurityContext{}) {
+			patchedPodSpec.Containers[i].SecurityContext = nil
+		}
+	}
 
 	return patchedPodSpec, nil
 }
diff --git a/internal/resource/statefulset_test.go b/internal/resource/statefulset_test.go
@@ -2154,6 +2154,12 @@ default_pass = {{ .Data.data.password }}
 											SecurityContext: &corev1.SecurityContext{},
 										},
 									},
+									Containers: []corev1.Container{
+										{
+											Name:            "rabbitmq",
+											SecurityContext: &corev1.SecurityContext{},
+										},
+									},
 								},
 							},
 						},
@@ -2168,6 +2174,7 @@ default_pass = {{ .Data.data.password }}
 
 					Expect(statefulSet.Spec.Template.Spec.SecurityContext).To(BeNil())
 					Expect(statefulSet.Spec.Template.Spec.InitContainers[0].SecurityContext).To(BeNil())
+					Expect(statefulSet.Spec.Template.Spec.Containers[0].SecurityContext).To(BeNil())
 
 				})
 

Original file line number	Diff line number	Diff line change
`@@ -296,7 +296,7 @@ func patchPodSpec(podSpec, podSpecOverride *corev1.PodSpec) (corev1.PodSpec, err`
`296`	`296`	`patchedPodSpec.Containers[0].ReadinessProbe = rmqContainer.ReadinessProbe`
`297`	`297`	`}`
`298`	`298`
`299`		`- // A user may wish to override the controller-set securityContext for the RabbitMQ & init containers so that the`
	`299`	`+ // A user may wish to override the controller-set securityContext for the RabbitMQ, init containers, and containers so that the`
`300`	`300`	// container runtime can override them. If the securityContext has been set to an empty struct, `strategicpatch.StrategicMergePatch`
`301`	`301`	`// won't pick this up, so manually override it here.`
`302`	`302`	`if podSpecOverride.SecurityContext != nil && reflect.DeepEqual(*podSpecOverride.SecurityContext, corev1.PodSecurityContext{}) {`
`@@ -307,6 +307,11 @@ func patchPodSpec(podSpec, podSpecOverride *corev1.PodSpec) (corev1.PodSpec, err`
`307`	`307`	`patchedPodSpec.InitContainers[i].SecurityContext = nil`
`308`	`308`	`}`
`309`	`309`	`}`
	`310`	`+ for i := range podSpecOverride.Containers {`
	`311`	`+ if podSpecOverride.Containers[i].SecurityContext != nil && reflect.DeepEqual(*podSpecOverride.Containers[i].SecurityContext, corev1.SecurityContext{}) {`
	`312`	`+ patchedPodSpec.Containers[i].SecurityContext = nil`
	`313`	`+ }`
	`314`	`+ }`
`310`	`315`
`311`	`316`	`return patchedPodSpec, nil`
`312`	`317`	`}`