Skip to content

Fix/securitycontext runasuser #1171

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
EItanya merged 4 commits into from
Dec 11, 2025
Merged

Fix/securitycontext runasuser #1171

EItanya merged 4 commits into from
Dec 11, 2025

Conversation

@Raghavendiran-2002
Copy link
Contributor

@Raghavendiran-2002 Raghavendiran-2002 commented Dec 10, 2025

Fix: Apply Security Context Fields from Agent Spec to Generated Pods

Fixes #1083

Problem

The kagent controller was not applying runAsUser and other security context fields from the Agent's deployment.securityContext and deployment.podSecurityContext to the generated pod specifications. This caused pods to fail with CreateContainerConfigError when container images have non-numeric users.

Current Behavior: Only runAsNonRoot and allowPrivilegeEscalation were being applied to pods, while runAsUser, runAsGroup, fsGroup, and capabilities were ignored.

Expected Behavior: All security context fields from the Agent spec should be properly propagated to the pod template.

Solution

This PR adds support for both pod-level and container-level security contexts in the Agent API and ensures they are properly propagated to generated pods and containers.

Changes Made

1. API Changes (go/api/v1alpha2/agent_types.go)

  • Added SecurityContext *corev1.SecurityContext to SharedDeploymentSpec for container-level security context
  • Added PodSecurityContext *corev1.PodSecurityContext to SharedDeploymentSpec for pod-level security context

2. Internal Struct Updates (go/internal/controller/translator/agent/adk_api_translator.go)

  • Added SecurityContext and PodSecurityContext fields to the resolvedDeployment struct

3. Resolver Functions

  • resolveInlineDeployment: Now copies SecurityContext and PodSecurityContext from the Agent spec
  • resolveByoDeployment: Now copies SecurityContext and PodSecurityContext from the Agent spec

4. Manifest Building (buildManifest function)

  • Pod-level security context: PodSecurityContext from the Agent spec is applied to PodSpec.securityContext, which includes fields like:

    • runAsUser, runAsGroup, runAsNonRoot
    • fsGroup, supplementalGroups
    • seLinuxOptions, seccompProfile

  • Container-level security context: SecurityContext from the Agent spec is applied to container SecurityContext, which includes fields like:

    • runAsUser, runAsGroup, runAsNonRoot
    • capabilities, allowPrivilegeEscalation
    • readOnlyRootFilesystem, privileged

  • Sandbox compatibility: When needSandbox is true (for skills or code execution), the Privileged flag is set appropriately while preserving user-provided security context settings

  • Init containers: Security context is also applied to init containers (e.g., skills-init container)

5. Code Generation

  • Ran make generate to update the generated deepcopy methods for the new fields

How It Works

  1. Pod-level security context: The podSecurityContext field from the Agent spec is directly applied to PodSpec.securityContext, affecting all containers in the pod.

  2. Container-level security context: The securityContext field from the Agent spec is applied to each container's SecurityContext. When sandbox mode is required (for skills or code execution), the Privileged flag is merged with user-provided settings.

  3. Priority: User-provided security context settings take precedence, with sandbox requirements merged in when necessary.

Testing

Unit Tests:

  • Verified that security context fields are properly copied in resolver functions
  • Confirmed that security context is correctly applied to pod and container specs in manifest building

Manual Testing:

  • Verified that pods are created successfully with runAsUser specified (e.g., runAsUser: 1000)
  • Confirmed that security context fields (runAsUser, runAsGroup, fsGroup, capabilities) are properly applied to both main containers and init containers
  • Tested sandbox mode compatibility (skills and code execution) with custom security contexts
  • Validated that CreateContainerConfigError is resolved when container images have non-numeric users
  • Verified that both podSecurityContext and securityContext from Agent spec are correctly propagated to pod template

Code Quality:

  • Ran make lint to ensure code style compliance
  • All existing tests pass

Documentation

  • API changes are self-documenting through the CRD schema
  • No additional documentation updates required as this fixes existing functionality

Checklist

  • Code follows project style guidelines (Go Code Review Comments)
  • Ran make lint and fixed any issues
  • Ran make generate to update generated code
  • Changes are tested and verified
  • All commits are signed off (DCO)

Related Issues

@Raghavendiran-2002 Raghavendiran-2002 force-pushed the fix/securitycontext-runasuser branch from d507850 to 05b4cc8 Compare December 10, 2025 17:36
EItanya
EItanya previously approved these changes Dec 10, 2025
View reviewed changes
Copy link
Contributor

@EItanya EItanya left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR, seems great to me :)

@Raghavendiran-2002
Fix: propagate runAsUser and related security context fields to pods
495fff6 
Signed-off-by: Raghavendiran-2002 <raghavendiran46461@gmail.com>
@Raghavendiran-2002
Fix: propagate runAsUser and related security context fields to pods
46e2858 
Signed-off-by: Raghavendiran-2002 <raghavendiran46461@gmail.com>
@Raghavendiran-2002
Fix: propagate runAsUser and related security context fields to pods
26478f5 
Signed-off-by: Raghavendiran-2002 <raghavendiran46461@gmail.com>
@Raghavendiran-2002
Fix: propagate runAsUser and related security context fields to pods
a28ac78 
Signed-off-by: Raghavendiran-2002 <raghavendiran46461@gmail.com>
@Raghavendiran-2002 Raghavendiran-2002 force-pushed the fix/securitycontext-runasuser branch from c346965 to a28ac78 Compare December 11, 2025 14:46
@EItanya EItanya merged commit bfe15ba into kagent-dev:main Dec 11, 2025
17 checks passed
@BrewTestBot BrewTestBot mentioned this pull request Dec 11, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@EItanya EItanya EItanya approved these changes

@ilackarms ilackarms Awaiting requested review from ilackarms ilackarms is a code owner

@yuval-k yuval-k Awaiting requested review from yuval-k yuval-k is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[BUG] Controller not applying runAsUser from Agent securityContext to pod containers

2 participants

@Raghavendiran-2002 @EItanya