oc adm node-image does not set container SecurityContext #2138
Description
Example command:
oc adm node-image create --mac-address="00:00:00:00:00:00"Output:
2025-11-07T19:51:17Z [node-image create] installer pullspec obtained from installer-images configMap quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:a2a8165454c25c5533e3826b994f5728b54a55f8a9e710a9f392f2de8d518a48
2025-11-07T19:51:17Z [node-image create] Launching command
error: cannot create pod: pods "node-joiner-7rhp8" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "node-joiner" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "node-joiner" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "node-joiner" must set securityContext.runAsNonRoot=true)
Another example:
oc adm node-image monitor --ip-addresses 192.168.1.2Output:
2025-11-07T20:01:39Z [node-image monitor] configMap containing installer-images is not available, trying to get image from registry
2025-11-07T20:01:40Z [node-image monitor] Launching command
Warning: would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "node-joiner-monitor" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "node-joiner-monitor" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "node-joiner-monitor" must set securityContext.runAsNonRoot=true)
I do not see a reason why the SecurityContext should not be set on the containers used by pods spun up by these commands.