feat: Nested containers (#2046)

Signed-off-by: Anatolii Bazko <[email protected]>

Author: tolusha

.devfile.Dockerfile

@@ -1,10 +1,10 @@
 FROM quay.io/devfile/universal-developer-image:ubi8-latest
 
 #install Go 1.19
-RUN cd /tmp && wget https://go.dev/dl/go1.19.13.linux-amd64.tar.gz && \
-        mkdir $HOME/go1.19 && \
-        tar -xvzf go1.19.13.linux-amd64.tar.gz -C $HOME/go1.19 --strip-components 1 && \
-        if ! grep -q "export PATH=\$HOME/go1.19/bin:\$PATH" $HOME/.bashrc; then echo "export PATH=\$HOME/go1.19/bin:\$PATH" >> $HOME/.bashrc; fi
+RUN cd /tmp && wget https://go.dev/dl/go1.24.7.linux-amd64.tar.gz && \
+        mkdir $HOME/go1.24.7 && \
+        tar -xvzf go1.24.7.linux-amd64.tar.gz -C $HOME/go1.19 --strip-components 1 && \
+        if ! grep -q "export PATH=\$HOME/go1.19/bin:\$PATH" $HOME/.bashrc; then echo "export PATH=\$HOME/go1.24.7/bin:\$PATH" >> $HOME/.bashrc; fi
 
 # install chectl
 RUN tag=$(curl https://api.github.com/repos/che-incubator/chectl/tags | jq -r '.[0].name') && \
@@ -14,4 +14,4 @@ RUN tag=$(curl https://api.github.com/repos/che-incubator/chectl/tags | jq -r '.
         if ! grep -q "export PATH=\$HOME/chectl/bin:\$PATH" $HOME/.bashrc; then echo "export PATH=\$HOME/chectl/bin:\$PATH" >> $HOME/.bashrc; fi
 
 # install goimports
-RUN $HOME/go1.19/bin/go install golang.org/x/tools/cmd/goimports@latest
+RUN $HOME/go1.24.7/bin/go install golang.org/x/tools/cmd/goimports@latest

Dockerfile

@@ -18,7 +18,7 @@ ARG SKIP_TESTS="false"
 USER root
 
 ### Start installing go
-ENV GO_VERSION=1.23.8
+ENV GO_VERSION=1.24.7
 ENV GOROOT=/usr/local/go
 ENV PATH=$PATH:$GOROOT/bin
 RUN dnf install unzip gcc -y

api/v2/checluster_types.go

@@ -19,6 +19,8 @@ import (
 	"strconv"
 	"strings"
 
+	"k8s.io/utils/pointer"
+
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	defaults "github.com/eclipse-che/che-operator/pkg/common/operator-defaults"
@@ -45,7 +47,7 @@ type CheClusterSpec struct {
 	// +optional
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,order=1
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Development environments"
-	// +kubebuilder:default:={storage: {pvcStrategy: per-user}, defaultNamespace: {template: <username>-che, autoProvision: true}, secondsOfInactivityBeforeIdling:1800, secondsOfRunBeforeIdling:-1, startTimeoutSeconds:300, maxNumberOfWorkspacesPerUser:-1}
+	// +kubebuilder:default:={storage: {pvcStrategy: per-user}, defaultNamespace: {template: <username>-che, autoProvision: true}, secondsOfInactivityBeforeIdling:1800, secondsOfRunBeforeIdling:-1, startTimeoutSeconds:300, maxNumberOfWorkspacesPerUser:-1, disableContainerRunCapabilities:true}
 	DevEnvironments CheClusterDevEnvironments `json:"devEnvironments"`
 	// Che components configuration.
 	// +optional
@@ -149,12 +151,23 @@ type CheClusterDevEnvironments struct {
 	//
 	// +optional
 	DisableContainerBuildCapabilities *bool `json:"disableContainerBuildCapabilities,omitempty"`
+	// Disables container run capabilities.
+	// Can be enabled on OpenShift version 4.20 or later.
+	// When set to `false`, the value from `devEnvironments.security.containerSecurityContext`
+	// is ignored, and instead the SecurityContext defined in
+	// `devEnvironments.containerRunConfiguration.containerSecurityContext` is applied.
+	// +optional
+	// +kubebuilder:default:=true
+	DisableContainerRunCapabilities *bool `json:"disableContainerRunCapabilities,omitempty"`
 	// Workspace security configuration.
 	// +optional
 	Security WorkspaceSecurityConfig `json:"security,omitempty"`
 	// Container build configuration.
 	// +optional
 	ContainerBuildConfiguration *ContainerBuildConfiguration `json:"containerBuildConfiguration,omitempty"`
+	// Container run configuration.
+	// +optional
+	ContainerRunConfiguration *ContainerRunConfiguration `json:"containerRunConfiguration,omitempty"`
 	// ServiceAccount to use by the DevWorkspace operator when starting the workspaces.
 	// +optional
 	// +kubebuilder:validation:Pattern=^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
@@ -559,9 +572,10 @@ type WorkspaceSecurityConfig struct {
 	// If set, defined values are merged into the default PodSecurityContext configuration.
 	// +optional
 	PodSecurityContext *corev1.PodSecurityContext `json:"podSecurityContext,omitempty"`
-	// Container SecurityContext used by all workspace-related containers.
-	// If set, defined values are merged into the default Container SecurityContext configuration.
-	// Requires devEnvironments.disableContainerBuildCapabilities to be set to `true` in order to take effect.
+	// Defines the SecurityContext applied to all workspace-related containers.
+	// When set, the specified values are merged with the default SecurityContext configuration.
+	// This setting takes effect only if both `devEnvironments.disableContainerBuildCapabilities`
+	// and `devEnvironments.disableContainerRunCapabilities` are set to `true`.
 	// +optional
 	ContainerSecurityContext *corev1.SecurityContext `json:"containerSecurityContext,omitempty"`
 }
@@ -873,6 +887,26 @@ type ContainerBuildConfiguration struct {
 	OpenShiftSecurityContextConstraint string `json:"openShiftSecurityContextConstraint,omitempty"`
 }
 
+type ContainerRunConfiguration struct {
+	// Specifies the OpenShift SecurityContextConstraint used to run containers.
+	// +kubebuilder:validation:Required
+	// +kubebuilder:default:=container-run
+	OpenShiftSecurityContextConstraint string `json:"openShiftSecurityContextConstraint,omitempty"`
+	// Extra annotations applied to all workspace pods, in addition to those defined
+	// in `devEnvironments.workspacePodAnnotations`. Enables `/dev/fuse` for access to the fuse driver
+	// and `/dev/net/tun` for safe network access.
+	// +optional
+	// +kubebuilder:default:={"io.kubernetes.cri-o.Devices": "/dev/fuse,/dev/net/tun"}
+	WorkspacesPodAnnotations map[string]string `json:"workspacesPodAnnotations,omitempty"`
+	// SecurityContext applied to all workspace containers when run capabilities are enabled.
+	// The default `procMount: "Unmasked"` is set because the pod runs in a user namespace,
+	// which safely isolates the container's `/proc` from the host. This allows the container
+	// to modify its own sysctl settings for configuring networking for nested containers.
+	// +optional
+	// +kubebuilder:default:={procMount: "Unmasked", allowPrivilegeEscalation: true, capabilities: {add: {"SETGID", "SETUID"}}}
+	ContainerSecurityContext *corev1.SecurityContext `json:"containerSecurityContext,omitempty"`
+}
+
 // Configuration for Traefik within the Che gateway pod.
 type Traefik struct {
 	// The log level for the Traefik container within the gateway pod: `DEBUG`, `INFO`, `WARN`, `ERROR`, `FATAL`, or `PANIC`. The default value is `INFO`
@@ -1068,6 +1102,10 @@ func (c *CheCluster) IsAccessTokenConfigured() bool {
 	return c.GetIdentityToken() == constants.AccessToken
 }
 
+func (c *CheCluster) IsContainerRunCapabilitiesEnabled() bool {
+	return !pointer.BoolDeref(c.Spec.DevEnvironments.DisableContainerRunCapabilities, constants.DefaultDisableContainerRunCapabilities)
+}
+
 // IsContainerBuildCapabilitiesEnabled returns true if container build capabilities are enabled.
 // If value is not set in the CheCluster CR, then the default value is used.
 func (c *CheCluster) IsContainerBuildCapabilitiesEnabled() bool {
@@ -1084,10 +1122,6 @@ func (c *CheCluster) IsContainerBuildCapabilitiesEnabled() bool {
 	return !disableContainerBuildCapabilitiesParsed
 }
 
-func (c *CheCluster) IsOpenShiftSecurityContextConstraintSet() bool {
-	return c.Spec.DevEnvironments.ContainerBuildConfiguration != nil && c.Spec.DevEnvironments.ContainerBuildConfiguration.OpenShiftSecurityContextConstraint != ""
-}
-
 func (c *CheCluster) IsCheFlavor() bool {
 	return defaults.GetCheFlavor() == constants.CheFlavor
 }

api/v2/checluster_webhook.go

@@ -67,19 +67,37 @@ func (r *CheClusterDefaulter) Default(_ context.Context, obj runtime.Object) err
 
 	webhookLogger.Info("Defaulting for CheCluster", "name", cheCluster.GetName())
 
-	r.setContainerBuildConfiguration(cheCluster)
+	r.setDisableContainerRunCapabilities(cheCluster)
+	r.setContainerRunConfiguration(cheCluster)
+
 	r.setDisableContainerBuildCapabilities(cheCluster)
+	r.setContainerBuildConfiguration(cheCluster)
+
 	return nil
 }
 
 func (r *CheClusterDefaulter) setDisableContainerBuildCapabilities(cheCluster *CheCluster) {
-	// Container build capabilities can be enabled on OpenShift only
 	if !infrastructure.IsOpenShift() {
 		cheCluster.Spec.DevEnvironments.DisableContainerBuildCapabilities = pointer.Bool(true)
 	}
 }
 
-// Sets ContainerBuildConfiguration if container build capabilities is enabled.
+func (r *CheClusterDefaulter) setDisableContainerRunCapabilities(cheCluster *CheCluster) {
+	if !infrastructure.IsOpenShift() {
+		cheCluster.Spec.DevEnvironments.DisableContainerRunCapabilities = pointer.Bool(true)
+	}
+}
+
+// Sets ContainerRunConfiguration if container run capabilities is enabled.
+// The defaults will be propagated from the CheCluster CRD
+func (r *CheClusterDefaulter) setContainerRunConfiguration(cheCluster *CheCluster) {
+	if cheCluster.IsContainerRunCapabilitiesEnabled() && cheCluster.Spec.DevEnvironments.ContainerRunConfiguration == nil {
+		cheCluster.Spec.DevEnvironments.ContainerRunConfiguration = &ContainerRunConfiguration{}
+	}
+}
+
+// Sets ContainerBuildConfiguration if container run capabilities is enabled.
+// The defaults will be propagated from the CheCluster CRD
 func (r *CheClusterDefaulter) setContainerBuildConfiguration(cheCluster *CheCluster) {
 	if cheCluster.IsContainerBuildCapabilitiesEnabled() && cheCluster.Spec.DevEnvironments.ContainerBuildConfiguration == nil {
 		cheCluster.Spec.DevEnvironments.ContainerBuildConfiguration = &ContainerBuildConfiguration{}

api/v2/zz_generated.deepcopy.go

@@ -29,13 +29,16 @@ init() {
 build() {
   printf "%bBuilding image %b${IMAGE_NAME}${NC}..." "${BOLD}" "${BLUE}"
   if docker build -t ${IMAGE_NAME} > docker-build-log 2>&1  -<<EOF
-  FROM golang:1.23-bookworm
+  FROM docker.io/golang:1.24-bookworm
   RUN apt update && apt install python3-pip skopeo jq rsync unzip -y && \
     pip install --break-system-packages yq && \
     curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" && \
     install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl && \
     go install golang.org/x/tools/cmd/goimports@latest && \
     rm -rf /che-operator/bin
+  RUN wget https://github.com/okd-project/okd/releases/download/4.19.0-okd-scos.7/openshift-client-linux-4.19.0-okd-scos.7.tar.gz && \
+    tar -xvf openshift-client-linux-4.19.0-okd-scos.7.tar.gz && \
+    mv oc /usr/local/bin/
   RUN adduser --disabled-password --gecos "" user
   ENV GO111MODULE=on
   ENV GOPATH=/home/user/go

build/scripts/docker-run.sh

@@ -86,7 +86,7 @@ metadata:
     categories: Developer Tools
     certified: "false"
     containerImage: quay.io/eclipse/che-operator:next
-    createdAt: "2025-10-14T09:17:53Z"
+    createdAt: "2025-10-23T08:53:01Z"
     description: A Kube-native development solution that delivers portable and collaborative
       developer workspaces.
     features.operators.openshift.io/cnf: "false"
@@ -108,7 +108,7 @@ metadata:
     operatorframework.io/arch.amd64: supported
     operatorframework.io/arch.arm64: supported
     operatorframework.io/os.linux: supported
-  name: eclipse-che.v7.111.0-947.next
+  name: eclipse-che.v7.111.0-948.next
   namespace: placeholder
 spec:
   apiservicedefinitions: {}
@@ -1141,7 +1141,7 @@ spec:
       name: gateway-authorization-sidecar-k8s
     - image: quay.io/che-incubator/header-rewrite-proxy:latest
       name: gateway-header-sidecar
-  version: 7.111.0-947.next
+  version: 7.111.0-948.next
   webhookdefinitions:
     - admissionReviewVersions:
         - v1