Merge branch 'container-security' into 'main'

Only set container securityContext to a default value if the pod securityContext is also defaulted

See merge request weblogic-cloud/weblogic-kubernetes-operator!4914

Author: rjeberhard

operator/src/main/java/oracle/kubernetes/operator/helpers/JobStepContext.java

@@ -1,4 +1,4 @@
-// Copyright (c) 2018, 2024, Oracle and/or its affiliates.
+// Copyright (c) 2018, 2025, Oracle and/or its affiliates.
 // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 
 package oracle.kubernetes.operator.helpers;
@@ -514,6 +514,9 @@ V1SecurityContext getInitContainerSecurityContext() {
     if (isInitDomainOnPVRunAsRoot()) {
       return new V1SecurityContext().runAsGroup(0L).runAsUser(0L);
     }
+    if (getServerSpec().getContainerSecurityContext() != null) {
+      return getServerSpec().getContainerSecurityContext();
+    }
     if (getPodSecurityContext().equals(PodSecurityHelper.getDefaultPodSecurityContext())) {
       return PodSecurityHelper.getDefaultContainerSecurityContext();
     }

operator/src/main/java/oracle/kubernetes/operator/helpers/PodHelper.java

@@ -1,4 +1,4 @@
-// Copyright (c) 2017, 2024, Oracle and/or its affiliates.
+// Copyright (c) 2017, 2025, Oracle and/or its affiliates.
 // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 
 package oracle.kubernetes.operator.helpers;
@@ -587,6 +587,9 @@ EffectiveServerSpec getServerSpec() {
 
     @Override
     V1SecurityContext getInitContainerSecurityContext() {
+      if (getServerSpec().getContainerSecurityContext() != null) {
+        return getServerSpec().getContainerSecurityContext();
+      }
       if (getPodSecurityContext().equals(PodSecurityHelper.getDefaultPodSecurityContext())) {
         return PodSecurityHelper.getDefaultContainerSecurityContext();
       }
@@ -895,6 +898,9 @@ protected List<String> getContainerCommand() {
 
     @Override
     V1SecurityContext getInitContainerSecurityContext() {
+      if (getServerSpec().getContainerSecurityContext() != null) {
+        return getServerSpec().getContainerSecurityContext();
+      }
       if (getPodSecurityContext().equals(PodSecurityHelper.getDefaultPodSecurityContext())) {
         return PodSecurityHelper.getDefaultContainerSecurityContext();
       }

operator/src/main/java/oracle/kubernetes/weblogic/domain/model/BaseConfiguration.java

@@ -1,4 +1,4 @@
-// Copyright (c) 2018, 2024, Oracle and/or its affiliates.
+// Copyright (c) 2018, 2025, Oracle and/or its affiliates.
 // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 
 package oracle.kubernetes.weblogic.domain.model;
@@ -298,7 +298,13 @@ void setPodSecurityContext(V1PodSecurityContext podSecurityContext) {
   }
 
   V1SecurityContext getContainerSecurityContext() {
-    return Optional.ofNullable(serverPod.getContainerSecurityContext()).orElse(getDefaultContainerSecurityContext());
+    return Optional.ofNullable(serverPod.getContainerSecurityContext())
+        .orElseGet(() -> {
+          if (serverPod.getPodSecurityContext() == null) {
+            return getDefaultContainerSecurityContext();
+          }
+          return null;
+        });
   }
 
   void setContainerSecurityContext(V1SecurityContext containerSecurityContext) {

operator/src/test/java/oracle/kubernetes/weblogic/domain/model/DomainV2Test.java

@@ -1,4 +1,4 @@
-// Copyright (c) 2018, 2024, Oracle and/or its affiliates.
+// Copyright (c) 2018, 2025, Oracle and/or its affiliates.
 // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 
 package oracle.kubernetes.weblogic.domain.model;
@@ -632,6 +632,26 @@ private void configureDomainWithPodSecurityContext(DomainResource domain) {
     configureAdminServer().withPodSecurityContext(new V1PodSecurityContext().runAsNonRoot(false));
   }
 
+  @Test
+  void whenDefaultContainerSecurityContextConfiguredOnManagedServer() {
+    V1SecurityContext ms1ContainerSecSpec =
+            info.getServer(SERVER1, CLUSTER_NAME).getContainerSecurityContext();
+
+    assertThat(ms1ContainerSecSpec.getRunAsNonRoot(), is(true));
+    assertThat(ms1ContainerSecSpec.getPrivileged(), is(false));
+    assertThat(ms1ContainerSecSpec.getAllowPrivilegeEscalation(), is(false));
+    assertThat(ms1ContainerSecSpec.getCapabilities().getDrop(), contains("ALL"));
+  }
+
+  @Test
+  void whenPodSecurityContextConfiguredNoDefaultContainerSecurityContextOnManagedServer() {
+    configureDomainWithPodSecurityContext(domain);
+    V1SecurityContext ms1ContainerSecSpec =
+            info.getServer(SERVER1, CLUSTER_NAME).getContainerSecurityContext();
+
+    assertThat(ms1ContainerSecSpec, nullValue());
+  }
+
   @Test
   void whenContainerSecurityContextConfiguredOnManagedServerOverrideClusterAndDomain() {
     configureDomainWithContainerSecurityContext(domain);