From 6be54e3f0dac2f15f4abfb5b89f4dcfc4da435c9 Mon Sep 17 00:00:00 2001
From: Shachar Sharon <ssharon@redhat.com>
Date: Thu, 9 Mar 2023 13:24:49 +0200
Subject: [PATCH] resources: set SecurityContext for privileged containers

Define explicit SecurityContext entry for containers which require
privileged capabilities. Required when running over OpenShift cluster.

Signed-off-by: Shachar Sharon <ssharon@redhat.com>
---
 internal/resources/pods.go | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/internal/resources/pods.go b/internal/resources/pods.go
index 9021519c..81e8cd39 100644
--- a/internal/resources/pods.go
+++ b/internal/resources/pods.go
@@ -482,6 +482,7 @@ func buildSmbdCtr(
 				},
 			},
 		},
+		SecurityContext: ctrPrivSecurityContext(),
 	}
 }
 
@@ -589,6 +590,7 @@ func buildSvcWatchCtr(
 		Name:            "svc-watch",
 		Env:             env,
 		VolumeMounts:    mounts,
+		SecurityContext: ctrPrivSecurityContext(),
 	}
 }
 
@@ -621,6 +623,7 @@ func buildEnsureShareCtr(
 		Args:            planner.Args().EnsureSharePaths(),
 		Env:             env,
 		VolumeMounts:    mounts,
+		SecurityContext: ctrPrivSecurityContext(),
 	}
 }
 
@@ -838,3 +841,10 @@ func imagePullPolicy(pl *pln.Planner) corev1.PullPolicy {
 	}
 	return pullPolicy
 }
+
+func ctrPrivSecurityContext() *corev1.SecurityContext {
+	return &corev1.SecurityContext{
+		Privileged:   &[]bool{true}[0],
+		RunAsNonRoot: &[]bool{false}[0],
+	}
+}