oracle
diff --git a/‎documentation/domains/Domain.json
Lines changed: 2 additions & 2 deletions b/‎documentation/domains/Domain.json
Lines changed: 2 additions & 2 deletions
diff --git a/‎documentation/domains/Domain.md
Lines changed: 2 additions & 2 deletions b/‎documentation/domains/Domain.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎kubernetes/charts/weblogic-operator/templates/_operator-dep.tpl
Lines changed: 12 additions & 2 deletions b/‎kubernetes/charts/weblogic-operator/templates/_operator-dep.tpl
Lines changed: 12 additions & 2 deletions
diff --git a/‎kubernetes/crd/domain-crd.yaml
Lines changed: 42 additions & 18 deletions b/‎kubernetes/crd/domain-crd.yaml
Lines changed: 42 additions & 18 deletions
diff --git a/‎kubernetes/src/test/java/oracle/kubernetes/operator/create/CreateOperatorGeneratedFilesTestBase.java
Lines changed: 12 additions & 1 deletion b/‎kubernetes/src/test/java/oracle/kubernetes/operator/create/CreateOperatorGeneratedFilesTestBase.java
Lines changed: 12 additions & 1 deletion
diff --git a/‎operator/src/main/java/oracle/kubernetes/operator/helpers/BasePodStepContext.java
Lines changed: 2 additions & 1 deletion b/‎operator/src/main/java/oracle/kubernetes/operator/helpers/BasePodStepContext.java
Lines changed: 2 additions & 1 deletion
diff --git a/‎operator/src/main/java/oracle/kubernetes/operator/helpers/FluentdHelper.java
Lines changed: 1 addition & 1 deletion b/‎operator/src/main/java/oracle/kubernetes/operator/helpers/FluentdHelper.java
Lines changed: 1 addition & 1 deletion
@@ -850,7 +850,7 @@
           "type": "string"
         },
         "podSecurityContext": {
-          "description": "Pod-level security attributes. See `kubectl explain pods.spec.securityContext`.",
+          "description": "Pod-level security attributes. See `kubectl explain pods.spec.podSecurityContext`. Beginning with operator version 3.4.7, if no value is specified for this field, the operator will use default content for the pod-level `securityContext`. More info: https://oracle.github.io/weblogic-kubernetes-operator/security/domain-security/pod-and-container/.",
           "$ref": "https://github.com/garethr/kubernetes-json-schema/blob/master/v1.13.5/_definitions.json#/definitions/io.k8s.api.core.v1.PodSecurityContext"
         },
         "priorityClassName": {
@@ -901,7 +901,7 @@
           "$ref": "#/definitions/ProbeTuning"
         },
         "containerSecurityContext": {
-          "description": "Container-level security attributes. Will override any matching Pod-level attributes. See `kubectl explain pods.spec.containers.securityContext`.",
+          "description": "Container-level security attributes. Will override any matching Pod-level attributes. See `kubectl explain pods.spec.containers.securityContext`. Beginning with operator version 3.4.7, if no value is specified for this field, the operator will use default content for container-level `securityContext`. More info: https://oracle.github.io/weblogic-kubernetes-operator/security/domain-security/pod-and-container/.",
           "$ref": "https://github.com/garethr/kubernetes-json-schema/blob/master/v1.13.5/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext"
         },
         "schedulerName": {
 
@@ -156,15 +156,15 @@ The current status of the operation of the WebLogic domain. Updated automaticall
 | `annotations` | Map | The annotations to be added to generated resources. |
 | `auxiliaryImages` | Array of [Auxiliary Image](#auxiliary-image) | Use an auxiliary image to automatically include directory content from additional images. This is a useful alternative for including Model in Image model files, or other types of files, in a pod without requiring modifications to the pod's base image 'domain.spec.image'. This feature internally uses a Kubernetes emptyDir volume and Kubernetes init containers to share the files from the additional images with the pod. |
 | `containers` | Array of [Container](k8s1.13.5.md#container) | Additional containers to be included in the server Pod. See `kubectl explain pods.spec.containers`. |
-| `containerSecurityContext` | [Security Context](k8s1.13.5.md#security-context) | Container-level security attributes. Will override any matching Pod-level attributes. See `kubectl explain pods.spec.containers.securityContext`. |
+| `containerSecurityContext` | [Security Context](k8s1.13.5.md#security-context) | Container-level security attributes. Will override any matching Pod-level attributes. See `kubectl explain pods.spec.containers.securityContext`. Beginning with operator version 3.4.7, if no value is specified for this field, the operator will use default content for container-level `securityContext`. More info: https://oracle.github.io/weblogic-kubernetes-operator/security/domain-security/pod-and-container/. |
 | `env` | Array of [Env Var](k8s1.13.5.md#env-var) | A list of environment variables to set in the container running a WebLogic Server instance. More info: https://oracle.github.io/weblogic-kubernetes-operator/userguide/managing-domains/domain-resource/#jvm-memory-and-java-option-environment-variables. See `kubectl explain pods.spec.containers.env`. |
 | `hostAliases` | Array of [Host Alias](k8s1.13.5.md#host-alias) | HostAliases is an optional list of hosts and IPs that will be injected into the pod's hosts file if specified. This is only valid for non-hostNetwork pods. |
 | `initContainers` | Array of [Container](k8s1.13.5.md#container) | Initialization containers to be included in the server Pod. See `kubectl explain pods.spec.initContainers`. |
 | `labels` | Map | The labels to be added to generated resources. The label names must not start with "weblogic.". |
 | `livenessProbe` | [Probe Tuning](#probe-tuning) | Settings for the liveness probe associated with a WebLogic Server instance. |
 | `nodeName` | string | NodeName is a request to schedule this Pod onto a specific Node. If it is non-empty, the scheduler simply schedules this pod onto that node, assuming that it fits the resource requirements. See `kubectl explain pods.spec.nodeName`. |
 | `nodeSelector` | Map | Selector which must match a Node's labels for the Pod to be scheduled on that Node. See `kubectl explain pods.spec.nodeSelector`. |
-| `podSecurityContext` | [Pod Security Context](k8s1.13.5.md#pod-security-context) | Pod-level security attributes. See `kubectl explain pods.spec.securityContext`. |
+| `podSecurityContext` | [Pod Security Context](k8s1.13.5.md#pod-security-context) | Pod-level security attributes. See `kubectl explain pods.spec.podSecurityContext`. Beginning with operator version 3.4.7, if no value is specified for this field, the operator will use default content for the pod-level `securityContext`. More info: https://oracle.github.io/weblogic-kubernetes-operator/security/domain-security/pod-and-container/. |
 | `priorityClassName` | string | If specified, indicates the Pod's priority. "system-node-critical" and "system-cluster-critical" are two special keywords which indicate the highest priorities with the former being the highest priority. Any other name must be defined by creating a PriorityClass object with that name. If not specified, the pod priority will be the default or zero, if there is no default. See `kubectl explain pods.spec.priorityClassName`. |
 | `readinessGates` | Array of [Pod Readiness Gate](k8s1.13.5.md#pod-readiness-gate) | If specified, all readiness gates will be evaluated for Pod readiness. A Pod is ready when all its containers are ready AND all conditions specified in the readiness gates have a status equal to "True". More info: https://github.com/kubernetes/community/blob/master/keps/sig-network/0007-pod-ready%2B%2B.md. |
 | `readinessProbe` | [Probe Tuning](#probe-tuning) | Settings for the readiness probe associated with a WebLogic Server instance. |
 
@@ -33,9 +33,10 @@ spec:
       {{- end }}
     spec:
       serviceAccountName: {{ .serviceAccount | quote }}
-      {{- if .runAsUser }}
+      {{- if (ne ( .kubernetesPlatform | default "Generic" ) "OpenShift") }}
       securityContext:
-        runAsUser: {{ .runAsUser }}
+        seccompProfile:
+          type: RuntimeDefault
       {{- end }}
       {{- with .nodeSelector }}
       nodeSelector:
@@ -103,6 +104,15 @@ spec:
             {{- if .memoryLimits}}
             memory: {{ .memoryLimits }}
             {{- end }}
+        securityContext:
+          {{- if (ne ( .kubernetesPlatform | default "Generic" ) "OpenShift") }}
+          runAsUser: {{ .runAsUser | default 1000 }}
+          {{- end }}
+          runAsNonRoot: true
+          privileged: false
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop: ["ALL"]
         volumeMounts:
         - name: "weblogic-operator-cm-volume"
           mountPath: "/operator/config"
 
@@ -5,7 +5,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    weblogic.sha256: 0682d363f6541bfb919b1488f4b02e2aa6490b6a2a9a28ded5b3c7dbebf23ddd
+    weblogic.sha256: 3e97d0a6aae14bdbaa1f844ac80ab297cec9c4c6be23c3cbb6702d378041ad03
   name: domains.weblogic.oracle
 spec:
   group: weblogic.oracle
@@ -544,8 +544,11 @@ spec:
                           Pod is created. See `kubectl explain pods.spec.serviceAccountName`.
                         type: string
                       podSecurityContext:
-                        description: Pod-level security attributes. See `kubectl explain
-                          pods.spec.securityContext`.
+                        description: 'Pod-level security attributes. See `kubectl
+                          explain pods.spec.podSecurityContext`. Beginning with operator
+                          version 3.4.7, if no value is specified for this field,
+                          the operator will use default content for the pod-level
+                          `securityContext`. More info: https://oracle.github.io/weblogic-kubernetes-operator/security/domain-security/pod-and-container/.'
                         properties:
                           runAsUser:
                             type: number
@@ -721,9 +724,12 @@ spec:
                             type: number
                         type: object
                       containerSecurityContext:
-                        description: Container-level security attributes. Will override
+                        description: 'Container-level security attributes. Will override
                           any matching Pod-level attributes. See `kubectl explain
-                          pods.spec.containers.securityContext`.
+                          pods.spec.containers.securityContext`. Beginning with operator
+                          version 3.4.7, if no value is specified for this field,
+                          the operator will use default content for container-level
+                          `securityContext`. More info: https://oracle.github.io/weblogic-kubernetes-operator/security/domain-security/pod-and-container/.'
                         properties:
                           privileged:
                             type: boolean
@@ -3462,8 +3468,11 @@ spec:
                             Pod is created. See `kubectl explain pods.spec.serviceAccountName`.
                           type: string
                         podSecurityContext:
-                          description: Pod-level security attributes. See `kubectl
-                            explain pods.spec.securityContext`.
+                          description: 'Pod-level security attributes. See `kubectl
+                            explain pods.spec.podSecurityContext`. Beginning with
+                            operator version 3.4.7, if no value is specified for this
+                            field, the operator will use default content for the pod-level
+                            `securityContext`. More info: https://oracle.github.io/weblogic-kubernetes-operator/security/domain-security/pod-and-container/.'
                           type: object
                           properties:
                             runAsUser:
@@ -3642,9 +3651,12 @@ spec:
                                 check is performed.
                               type: number
                         containerSecurityContext:
-                          description: Container-level security attributes. Will override
-                            any matching Pod-level attributes. See `kubectl explain
-                            pods.spec.containers.securityContext`.
+                          description: 'Container-level security attributes. Will
+                            override any matching Pod-level attributes. See `kubectl
+                            explain pods.spec.containers.securityContext`. Beginning
+                            with operator version 3.4.7, if no value is specified
+                            for this field, the operator will use default content
+                            for container-level `securityContext`. More info: https://oracle.github.io/weblogic-kubernetes-operator/security/domain-security/pod-and-container/.'
                           type: object
                           properties:
                             privileged:
@@ -6400,8 +6412,11 @@ spec:
                       See `kubectl explain pods.spec.serviceAccountName`.
                     type: string
                   podSecurityContext:
-                    description: Pod-level security attributes. See `kubectl explain
-                      pods.spec.securityContext`.
+                    description: 'Pod-level security attributes. See `kubectl explain
+                      pods.spec.podSecurityContext`. Beginning with operator version
+                      3.4.7, if no value is specified for this field, the operator
+                      will use default content for the pod-level `securityContext`.
+                      More info: https://oracle.github.io/weblogic-kubernetes-operator/security/domain-security/pod-and-container/.'
                     properties:
                       runAsUser:
                         type: number
@@ -6574,8 +6589,11 @@ spec:
                         type: number
                     type: object
                   containerSecurityContext:
-                    description: Container-level security attributes. Will override
+                    description: 'Container-level security attributes. Will override
                       any matching Pod-level attributes. See `kubectl explain pods.spec.containers.securityContext`.
+                      Beginning with operator version 3.4.7, if no value is specified
+                      for this field, the operator will use default content for container-level
+                      `securityContext`. More info: https://oracle.github.io/weblogic-kubernetes-operator/security/domain-security/pod-and-container/.'
                     properties:
                       privileged:
                         type: boolean
@@ -9216,8 +9234,11 @@ spec:
                             Pod is created. See `kubectl explain pods.spec.serviceAccountName`.
                           type: string
                         podSecurityContext:
-                          description: Pod-level security attributes. See `kubectl
-                            explain pods.spec.securityContext`.
+                          description: 'Pod-level security attributes. See `kubectl
+                            explain pods.spec.podSecurityContext`. Beginning with
+                            operator version 3.4.7, if no value is specified for this
+                            field, the operator will use default content for the pod-level
+                            `securityContext`. More info: https://oracle.github.io/weblogic-kubernetes-operator/security/domain-security/pod-and-container/.'
                           type: object
                           properties:
                             runAsUser:
@@ -9396,9 +9417,12 @@ spec:
                                 check is performed.
                               type: number
                         containerSecurityContext:
-                          description: Container-level security attributes. Will override
-                            any matching Pod-level attributes. See `kubectl explain
-                            pods.spec.containers.securityContext`.
+                          description: 'Container-level security attributes. Will
+                            override any matching Pod-level attributes. See `kubectl
+                            explain pods.spec.containers.securityContext`. Beginning
+                            with operator version 3.4.7, if no value is specified
+                            for this field, the operator will use default content
+                            for container-level `securityContext`. More info: https://oracle.github.io/weblogic-kubernetes-operator/security/domain-security/pod-and-container/.'
                           type: object
                           properties:
                             privileged:
 
@@ -1,21 +1,25 @@
-// Copyright (c) 2018, 2021, Oracle and/or its affiliates.
+// Copyright (c) 2018, 2023, Oracle and/or its affiliates.
 // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 
 package oracle.kubernetes.operator.create;
 
 import io.kubernetes.client.custom.Quantity;
+import io.kubernetes.client.openapi.models.V1Capabilities;
 import io.kubernetes.client.openapi.models.V1ClusterRole;
 import io.kubernetes.client.openapi.models.V1ClusterRoleBinding;
 import io.kubernetes.client.openapi.models.V1ConfigMap;
 import io.kubernetes.client.openapi.models.V1Container;
 import io.kubernetes.client.openapi.models.V1Deployment;
 import io.kubernetes.client.openapi.models.V1LabelSelector;
 import io.kubernetes.client.openapi.models.V1Namespace;
+import io.kubernetes.client.openapi.models.V1PodSecurityContext;
 import io.kubernetes.client.openapi.models.V1Probe;
 import io.kubernetes.client.openapi.models.V1ResourceRequirements;
 import io.kubernetes.client.openapi.models.V1Role;
 import io.kubernetes.client.openapi.models.V1RoleBinding;
+import io.kubernetes.client.openapi.models.V1SeccompProfile;
 import io.kubernetes.client.openapi.models.V1Secret;
+import io.kubernetes.client.openapi.models.V1SecurityContext;
 import io.kubernetes.client.openapi.models.V1Service;
 import io.kubernetes.client.openapi.models.V1ServiceAccount;
 import io.kubernetes.client.openapi.models.V1ServiceSpec;
@@ -188,6 +192,8 @@ protected V1Deployment getExpectedWeblogicOperatorDeployment() {
                         .spec(
                             newPodSpec()
                                 .serviceAccountName(getInputs().getServiceAccount())
+                                .securityContext(new V1PodSecurityContext().seccompProfile(
+                                    new V1SeccompProfile().type("RuntimeDefault")))
                                 .addContainersItem(
                                     newContainer()
                                         .name("weblogic-operator")
@@ -217,6 +223,11 @@ protected V1Deployment getExpectedWeblogicOperatorDeployment() {
                                                 .putRequestsItem("cpu", Quantity.fromString("100m"))
                                                 .putRequestsItem(
                                                     "memory", Quantity.fromString("512Mi")))
+                                        .securityContext(
+                                            new V1SecurityContext().runAsUser(1000L)
+                                                .runAsNonRoot(true)
+                                                .privileged(false).allowPrivilegeEscalation(false)
+                                                .capabilities(new V1Capabilities().addDropItem("ALL")))
                                         .addVolumeMountsItem(
                                             newVolumeMount()
                                                 .name("weblogic-operator-cm-volume")
 
@@ -1,4 +1,4 @@
-// Copyright (c) 2019, 2022, Oracle and/or its affiliates.
+// Copyright (c) 2019, 2023, Oracle and/or its affiliates.
 // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 
 package oracle.kubernetes.operator.helpers;
@@ -127,6 +127,7 @@ protected V1Container createInitContainerForAuxiliaryImage(AuxiliaryImage auxili
             .command(Collections.singletonList(AUXILIARY_IMAGE_INIT_CONTAINER_WRAPPER_SCRIPT))
             .env(createEnv(auxiliaryImage, info.getDomain().getAuxiliaryImageVolumes(), getName(index)))
             .resources(createResources())
+            .securityContext(PodSecurityHelper.getDefaultContainerSecurityContext())
             .volumeMounts(Arrays.asList(
                     new V1VolumeMount().name(getDNS1123auxiliaryImageVolumeName(auxiliaryImage.getVolume()))
                             .mountPath(AUXILIARY_IMAGE_TARGET_PATH),
 
@@ -49,7 +49,7 @@ public static void addFluentdContainer(FluentdSpecification fluentdSpecification
     fluentdContainer.setImage(fluentdSpecification.getImage());
     fluentdContainer.setImagePullPolicy(fluentdSpecification.getImagePullPolicy());
     fluentdContainer.setResources(fluentdSpecification.getResources());
-
+    fluentdContainer.setSecurityContext(PodSecurityHelper.getDefaultContainerSecurityContext());
     addFluentdContainerEnvList(fluentdSpecification, fluentdContainer, domain, isJobPod);
 
     fluentdSpecification.getVolumeMounts()