eclipse-che
diff --git a/‎api/v2/checluster_types.go‎
Lines changed: 7 additions & 2 deletions b/‎api/v2/checluster_types.go‎
Lines changed: 7 additions & 2 deletions
diff --git a/‎api/v2/zz_generated.deepcopy.go‎
Lines changed: 8 additions & 3 deletions b/‎api/v2/zz_generated.deepcopy.go‎
Lines changed: 8 additions & 3 deletions
diff --git a/‎bundle/next/eclipse-che/manifests/che-operator.clusterserviceversion.yaml‎
Lines changed: 3 additions & 3 deletions b/‎bundle/next/eclipse-che/manifests/che-operator.clusterserviceversion.yaml‎
Lines changed: 3 additions & 3 deletions
@@ -152,7 +152,8 @@ type CheClusterDevEnvironments struct {
 	// +optional
 	DisableContainerBuildCapabilities *bool `json:"disableContainerBuildCapabilities,omitempty"`
 	// Disables container run capabilities.
-	// If set to `false`, the value from `devEnvironments.security.containerSecurityContext`
+	// Can be enabled on OpenShift version 4.20 or later.
+	// When set to `false`, the value from `devEnvironments.security.containerSecurityContext`
 	// is ignored, and instead the SecurityContext defined in
 	// `devEnvironments.containerRunConfiguration.containerSecurityContext` is applied.
 	// +optional
@@ -884,6 +885,10 @@ type ContainerBuildConfiguration struct {
 	// +kubebuilder:validation:Required
 	// +kubebuilder:default:=container-build
 	OpenShiftSecurityContextConstraint string `json:"openShiftSecurityContextConstraint,omitempty"`
+	// SecurityContext applied to all workspace containers when build capabilities are enabled.
+	// +optional
+	// +kubebuilder:default:={allowPrivilegeEscalation: true, capabilities: {add: {"SETGID", "SETUID"}}}
+	ContainerSecurityContext *corev1.SecurityContext `json:"containerSecurityContext,omitempty"`
 }
 
 type ContainerRunConfiguration struct {
@@ -895,7 +900,7 @@ type ContainerRunConfiguration struct {
 	// in addition to those defined in `devEnvironments.workspacePodAnnotations`.
 	// +optional
 	// +kubebuilder:default:={"io.kubernetes.cri-o.Devices": "/dev/fuse,/dev/net/tun"}
-	ExtraWorkspacePodAnnotations map[string]string `json:"extraWorkspacePodAnnotations,omitempty"`
+	WorkspacesPodAnnotations map[string]string `json:"workspacesPodAnnotations,omitempty"`
 	// SecurityContext applied to all workspace containers when run capabilities are enabled.
 	// +optional
 	// +kubebuilder:default:={procMount: "Unmasked", allowPrivilegeEscalation: false, capabilities: {add: {"SETGID", "SETUID"}}}
 
@@ -86,7 +86,7 @@ metadata:
     categories: Developer Tools
     certified: "false"
     containerImage: quay.io/eclipse/che-operator:next
-    createdAt: "2025-10-02T09:43:55Z"
+    createdAt: "2025-10-02T14:01:31Z"
     description: A Kube-native development solution that delivers portable and collaborative
       developer workspaces.
     features.operators.openshift.io/cnf: "false"
@@ -108,7 +108,7 @@ metadata:
     operatorframework.io/arch.amd64: supported
     operatorframework.io/arch.arm64: supported
     operatorframework.io/os.linux: supported
-  name: eclipse-che.v7.110.0-944.next
+  name: eclipse-che.v7.110.0-945.next
   namespace: placeholder
 spec:
   apiservicedefinitions: {}
@@ -1141,7 +1141,7 @@ spec:
       name: gateway-authorization-sidecar-k8s
     - image: quay.io/che-incubator/header-rewrite-proxy:latest
       name: gateway-header-sidecar
-  version: 7.110.0-944.next
+  version: 7.110.0-945.next
   webhookdefinitions:
     - admissionReviewVersions:
         - v1