Merge branch 'wme-container-security' into 'main'

Have monitoring exporter use configured container security

See merge request weblogic-cloud/weblogic-kubernetes-operator!4955

Author: rjeberhard

operator/src/main/java/oracle/kubernetes/operator/helpers/BasePodStepContext.java

@@ -194,7 +194,7 @@ protected V1Container createInitContainerForAuxiliaryImage(DeploymentImage auxil
     container.volumeMounts(mounts);
 
     if (isInitializeDomainOnPV) {
-      container.securityContext(PodSecurityHelper.getDefaultContainerSecurityContext());
+      container.securityContext(getServerSpec().getContainerSecurityContext());
     } else {
       container.securityContext(getInitContainerSecurityContext());
     }

operator/src/main/java/oracle/kubernetes/operator/helpers/FluentbitHelper.java

@@ -1,4 +1,4 @@
-// Copyright (c) 2024, Oracle and/or its affiliates.
+// Copyright (c) 2024, 2025, Oracle and/or its affiliates.
 // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 
 package oracle.kubernetes.operator.helpers;
@@ -18,6 +18,7 @@
 import io.kubernetes.client.openapi.models.V1VolumeMount;
 import oracle.kubernetes.operator.LabelConstants;
 import oracle.kubernetes.operator.LogHomeLayoutType;
+import oracle.kubernetes.operator.processing.EffectiveServerSpec;
 import oracle.kubernetes.weblogic.domain.model.DomainResource;
 import oracle.kubernetes.weblogic.domain.model.FluentbitSpecification;
 
@@ -35,12 +36,14 @@ private FluentbitHelper() {
 
   /**
    * Add sidecar container for fluentbit.
+   * @param serverSpec Server specification
    * @param fluentbitSpecification  FluentbitSpecification.
    * @param containers  List of containers.
    * @param isJobPod  whether it belongs to the introspector job pod.
    * @param domain  Domain.
    */
-  public static void addFluentbitContainer(FluentbitSpecification fluentbitSpecification, List<V1Container> containers,
+  public static void addFluentbitContainer(EffectiveServerSpec serverSpec,
+                                           FluentbitSpecification fluentbitSpecification, List<V1Container> containers,
                                            DomainResource domain, boolean isJobPod, boolean isReadOnlyRootFileSystem) {
     V1Container fluentbitContainer = new V1Container();
 
@@ -57,7 +60,7 @@ public static void addFluentbitContainer(FluentbitSpecification fluentbitSpecifi
     fluentbitContainer.setImage(fluentbitSpecification.getImage());
     fluentbitContainer.setImagePullPolicy(fluentbitSpecification.getImagePullPolicy());
     fluentbitContainer.setResources(fluentbitSpecification.getResources());
-    fluentbitContainer.setSecurityContext(PodSecurityHelper.getDefaultContainerSecurityContext());
+    fluentbitContainer.setSecurityContext(serverSpec.getContainerSecurityContext());
 
     if (fluentbitSpecification.getContainerCommand() != null) {
       fluentbitContainer.setCommand(fluentbitSpecification.getContainerCommand());

operator/src/main/java/oracle/kubernetes/operator/helpers/FluentdHelper.java

@@ -1,4 +1,4 @@
-// Copyright (c) 2018, 2023, Oracle and/or its affiliates.
+// Copyright (c) 2018, 2025, Oracle and/or its affiliates.
 // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 
 package oracle.kubernetes.operator.helpers;
@@ -18,6 +18,7 @@
 import io.kubernetes.client.openapi.models.V1VolumeMount;
 import oracle.kubernetes.operator.LabelConstants;
 import oracle.kubernetes.operator.LogHomeLayoutType;
+import oracle.kubernetes.operator.processing.EffectiveServerSpec;
 import oracle.kubernetes.weblogic.domain.model.DomainResource;
 import oracle.kubernetes.weblogic.domain.model.FluentdSpecification;
 
@@ -35,12 +36,14 @@ private FluentdHelper() {
 
   /**
    * Add sidecar container for fluentd.
+   * @param serverSpec Server specification
    * @param fluentdSpecification  FluentdSpecification.
    * @param containers  List of containers.
    * @param isJobPod  whether it belongs to the introspector job pod.
    * @param domain  Domain.
    */
-  public static void addFluentdContainer(FluentdSpecification fluentdSpecification, List<V1Container> containers,
+  public static void addFluentdContainer(EffectiveServerSpec serverSpec,
+                                         FluentdSpecification fluentdSpecification, List<V1Container> containers,
                                          DomainResource domain, boolean isJobPod, boolean isReadOnlyRootFileSystem) {
 
     V1Container fluentdContainer = new V1Container();
@@ -59,7 +62,7 @@ public static void addFluentdContainer(FluentdSpecification fluentdSpecification
     fluentdContainer.setImage(fluentdSpecification.getImage());
     fluentdContainer.setImagePullPolicy(fluentdSpecification.getImagePullPolicy());
     fluentdContainer.setResources(fluentdSpecification.getResources());
-    fluentdContainer.setSecurityContext(PodSecurityHelper.getDefaultContainerSecurityContext());
+    fluentdContainer.setSecurityContext(serverSpec.getContainerSecurityContext());
 
     if (fluentdSpecification.getContainerCommand() != null) {
       fluentdContainer.setCommand(fluentdSpecification.getContainerCommand());

operator/src/main/java/oracle/kubernetes/operator/helpers/JobStepContext.java

@@ -841,15 +841,15 @@ protected List<V1Container> getContainers() {
     Optional.ofNullable(getDomain().getFluentdSpecification())
         .ifPresent(fluentd -> {
           if (Boolean.TRUE.equals(fluentd.getWatchIntrospectorLogs())) {
-            FluentdHelper.addFluentdContainer(fluentd,
+            FluentdHelper.addFluentdContainer(getServerSpec(), fluentd,
                     containers, getDomain(), true, isReadOnlyRootFileSystem());
           }
         });
 
     Optional.ofNullable(getDomain().getFluentbitSpecification())
             .ifPresent(fluentbit -> {
               if (Boolean.TRUE.equals(fluentbit.getWatchIntrospectorLogs())) {
-                FluentbitHelper.addFluentbitContainer(fluentbit,
+                FluentbitHelper.addFluentbitContainer(getServerSpec(), fluentbit,
                         containers, getDomain(), true, isReadOnlyRootFileSystem());
               }
             });

operator/src/main/java/oracle/kubernetes/operator/helpers/PodStepContext.java

@@ -777,10 +777,10 @@ protected List<V1Container> getContainers() {
     exporterContext.addContainer(containers);
     boolean isReadOnlyRootFileSystem = isReadOnlyRootFileSystem();
     Optional.ofNullable(getDomain().getFluentdSpecification())
-        .ifPresent(fluentd -> addFluentdContainer(fluentd, containers, getDomain(), false,
+        .ifPresent(fluentd -> addFluentdContainer(getServerSpec(), fluentd, containers, getDomain(), false,
                 isReadOnlyRootFileSystem));
     Optional.ofNullable(getDomain().getFluentbitSpecification())
-            .ifPresent(fluentbit -> addFluentbitContainer(fluentbit, containers, getDomain(),
+            .ifPresent(fluentbit -> addFluentbitContainer(getServerSpec(), fluentbit, containers, getDomain(),
                     false, isReadOnlyRootFileSystem));
     return containers;
   }
@@ -1610,7 +1610,7 @@ private V1Container createMonitoringExporterContainer() {
             .image(getDomain().getMonitoringExporterImage())
             .imagePullPolicy(getDomain().getMonitoringExporterImagePullPolicy())
             .resources(getDomain().getMonitoringExporterResources())
-            .securityContext(PodSecurityHelper.getDefaultContainerSecurityContext())
+            .securityContext(getServerSpec().getContainerSecurityContext())
             .addEnvItem(new V1EnvVar().name("JAVA_OPTS").value(createJavaOptions()))
             .addPortsItem(new V1ContainerPort()
                 .name("metrics").protocol("TCP").containerPort(getPort()));