On Kubernetes environments with strict securityContext policies, the builder and demomode pods cannot start

[arheom]

Describe the bug

On Kubernetes environments with strict securityContext policies, the builder and demomode pods cannot start. Currently, the builder is taking the specs from the builder yaml from configuration, but it does not take also the container specs, where some securityContext policies are defined. Also the demomode pod takes the specs from the deployment.jkube.yaml, but only partially, leaving out the securityContext.

More information inside the discussion item: #1364

Steps to reproduce the behavior

1. Add securityContext elements to the builder and demomode pods
2. Run them, and check the yaml of the k8s files
3. The securityContext is not taken from the configuration

Variant

Web Application

Container Management (if applicable)

Kubernetes

Operating System (if applicable)

None

Version

4.8.0

Relevant log output

No response

[arheom]

I will assign it to me and extend the code to take also the securityContext specs into consideration.

[mgubaidullin]

How are you planning to achieve that?

[arheom]

I see 2 options to do it:

1. To extend the current code to also take the securityContext specs specifically (like currently done with the env specs).
2. Or to initialize the pod specs with the full builder / deployment specs and overwrite only what is minimum needed when creating the pods. So, here we dont take specifically the securityContext, but if it is defined, it will be taken automatically. I tend more to this solution, as it allows future extensibility on the specs, outside of the securityContext.
   What do you think? Or do you see a third option?

[mgubaidullin]

The first option would be secure to implement, because much of the logic in creating the build container code is conditional. Implementing a full builder specification might require a lot of users to upgrade.