From 5431b942b9b682d8e899ec3567273cb8a5729c01 Mon Sep 17 00:00:00 2001 From: cgruver Date: Fri, 20 Feb 2026 20:20:06 +0000 Subject: [PATCH] Add CAP_CHOWN when hostUsers: false and procMount: Unmasked Signed-off-by: cgruver --- api/v2/checluster_types.go | 2 +- .../manifests/org.eclipse.che_checlusters.yaml | 1 + .../manifests/org.eclipse.che_checlusters.yaml | 1 + config/crd/bases/org.eclipse.che_checlusters.yaml | 1 + deploy/deployment/kubernetes/combined.yaml | 1 + ...clusters.org.eclipse.che.CustomResourceDefinition.yaml | 1 + deploy/deployment/openshift/combined.yaml | 1 + ...clusters.org.eclipse.che.CustomResourceDefinition.yaml | 1 + ...clusters.org.eclipse.che.CustomResourceDefinition.yaml | 1 + ...clusters.org.eclipse.che.CustomResourceDefinition.yaml | 1 + pkg/deploy/container-capabilities/container_run.go | 2 +- .../dev-workspace-config/dev_workspace_config_test.go | 8 ++++---- 12 files changed, 15 insertions(+), 6 deletions(-) diff --git a/api/v2/checluster_types.go b/api/v2/checluster_types.go index ecdd5cc82..f072a00a0 100644 --- a/api/v2/checluster_types.go +++ b/api/v2/checluster_types.go @@ -914,7 +914,7 @@ type ContainerRunConfiguration struct { // which safely isolates the container's `/proc` from the host. This allows the container // to modify its own sysctl settings for configuring networking for nested containers. // +optional - // +kubebuilder:default:={procMount: "Unmasked", allowPrivilegeEscalation: true, capabilities: {add: {"SETGID", "SETUID"}}} + // +kubebuilder:default:={procMount: "Unmasked", allowPrivilegeEscalation: true, capabilities: {add: {"SETGID", "SETUID", "CHOWN"}}} ContainerSecurityContext *corev1.SecurityContext `json:"containerSecurityContext,omitempty"` } diff --git a/bundle/next/eclipse-che/manifests/org.eclipse.che_checlusters.yaml b/bundle/next/eclipse-che/manifests/org.eclipse.che_checlusters.yaml index f44a38f8d..bb01e2584 100644 --- a/bundle/next/eclipse-che/manifests/org.eclipse.che_checlusters.yaml +++ b/bundle/next/eclipse-che/manifests/org.eclipse.che_checlusters.yaml @@ -5976,6 +5976,7 @@ spec: add: - SETGID - SETUID + - CHOWN procMount: Unmasked description: |- SecurityContext applied to all workspace containers when run capabilities are enabled. diff --git a/bundle/stable/eclipse-che/manifests/org.eclipse.che_checlusters.yaml b/bundle/stable/eclipse-che/manifests/org.eclipse.che_checlusters.yaml index 1f4d975c8..be485dd4e 100644 --- a/bundle/stable/eclipse-che/manifests/org.eclipse.che_checlusters.yaml +++ b/bundle/stable/eclipse-che/manifests/org.eclipse.che_checlusters.yaml @@ -5976,6 +5976,7 @@ spec: add: - SETGID - SETUID + - CHOWN procMount: Unmasked description: |- SecurityContext applied to all workspace containers when run capabilities are enabled. diff --git a/config/crd/bases/org.eclipse.che_checlusters.yaml b/config/crd/bases/org.eclipse.che_checlusters.yaml index 42612a544..4608fda7d 100644 --- a/config/crd/bases/org.eclipse.che_checlusters.yaml +++ b/config/crd/bases/org.eclipse.che_checlusters.yaml @@ -5934,6 +5934,7 @@ spec: add: - SETGID - SETUID + - CHOWN procMount: Unmasked description: |- SecurityContext applied to all workspace containers when run capabilities are enabled. diff --git a/deploy/deployment/kubernetes/combined.yaml b/deploy/deployment/kubernetes/combined.yaml index 3b070b5ee..77b8b59a0 100644 --- a/deploy/deployment/kubernetes/combined.yaml +++ b/deploy/deployment/kubernetes/combined.yaml @@ -5955,6 +5955,7 @@ spec: add: - SETGID - SETUID + - CHOWN procMount: Unmasked description: |- SecurityContext applied to all workspace containers when run capabilities are enabled. diff --git a/deploy/deployment/kubernetes/objects/checlusters.org.eclipse.che.CustomResourceDefinition.yaml b/deploy/deployment/kubernetes/objects/checlusters.org.eclipse.che.CustomResourceDefinition.yaml index 102fdcb6b..5c8652a92 100644 --- a/deploy/deployment/kubernetes/objects/checlusters.org.eclipse.che.CustomResourceDefinition.yaml +++ b/deploy/deployment/kubernetes/objects/checlusters.org.eclipse.che.CustomResourceDefinition.yaml @@ -5950,6 +5950,7 @@ spec: add: - SETGID - SETUID + - CHOWN procMount: Unmasked description: |- SecurityContext applied to all workspace containers when run capabilities are enabled. diff --git a/deploy/deployment/openshift/combined.yaml b/deploy/deployment/openshift/combined.yaml index 4d1c407af..fbe7ec8f5 100644 --- a/deploy/deployment/openshift/combined.yaml +++ b/deploy/deployment/openshift/combined.yaml @@ -5955,6 +5955,7 @@ spec: add: - SETGID - SETUID + - CHOWN procMount: Unmasked description: |- SecurityContext applied to all workspace containers when run capabilities are enabled. diff --git a/deploy/deployment/openshift/objects/checlusters.org.eclipse.che.CustomResourceDefinition.yaml b/deploy/deployment/openshift/objects/checlusters.org.eclipse.che.CustomResourceDefinition.yaml index a87f52a93..6ce01d25f 100644 --- a/deploy/deployment/openshift/objects/checlusters.org.eclipse.che.CustomResourceDefinition.yaml +++ b/deploy/deployment/openshift/objects/checlusters.org.eclipse.che.CustomResourceDefinition.yaml @@ -5950,6 +5950,7 @@ spec: add: - SETGID - SETUID + - CHOWN procMount: Unmasked description: |- SecurityContext applied to all workspace containers when run capabilities are enabled. diff --git a/helmcharts/next/crds/checlusters.org.eclipse.che.CustomResourceDefinition.yaml b/helmcharts/next/crds/checlusters.org.eclipse.che.CustomResourceDefinition.yaml index 102fdcb6b..5c8652a92 100644 --- a/helmcharts/next/crds/checlusters.org.eclipse.che.CustomResourceDefinition.yaml +++ b/helmcharts/next/crds/checlusters.org.eclipse.che.CustomResourceDefinition.yaml @@ -5950,6 +5950,7 @@ spec: add: - SETGID - SETUID + - CHOWN procMount: Unmasked description: |- SecurityContext applied to all workspace containers when run capabilities are enabled. diff --git a/helmcharts/stable/crds/checlusters.org.eclipse.che.CustomResourceDefinition.yaml b/helmcharts/stable/crds/checlusters.org.eclipse.che.CustomResourceDefinition.yaml index c61793a64..2cefafc76 100644 --- a/helmcharts/stable/crds/checlusters.org.eclipse.che.CustomResourceDefinition.yaml +++ b/helmcharts/stable/crds/checlusters.org.eclipse.che.CustomResourceDefinition.yaml @@ -5950,6 +5950,7 @@ spec: add: - SETGID - SETUID + - CHOWN procMount: Unmasked description: |- SecurityContext applied to all workspace containers when run capabilities are enabled. diff --git a/pkg/deploy/container-capabilities/container_run.go b/pkg/deploy/container-capabilities/container_run.go index 80b6a5594..c08833d1a 100644 --- a/pkg/deploy/container-capabilities/container_run.go +++ b/pkg/deploy/container-capabilities/container_run.go @@ -47,7 +47,7 @@ func (r *ContainerRun) getSCCSpec(sccName string) *securityv1.SecurityContextCon AllowHostPorts: false, AllowPrivilegeEscalation: pointer.Bool(true), AllowPrivilegedContainer: false, - AllowedCapabilities: []corev1.Capability{"SETUID", "SETGID"}, + AllowedCapabilities: []corev1.Capability{"SETUID", "SETGID", "CHOWN"}, DefaultAddCapabilities: nil, FSGroup: securityv1.FSGroupStrategyOptions{ Type: securityv1.FSGroupStrategyMustRunAs, diff --git a/pkg/deploy/dev-workspace-config/dev_workspace_config_test.go b/pkg/deploy/dev-workspace-config/dev_workspace_config_test.go index dd67e6fca..655907256 100644 --- a/pkg/deploy/dev-workspace-config/dev_workspace_config_test.go +++ b/pkg/deploy/dev-workspace-config/dev_workspace_config_test.go @@ -827,7 +827,7 @@ func TestReconcileDevWorkspaceConfigForContainerCapabilities(t *testing.T) { ContainerSecurityContext: &corev1.SecurityContext{ ProcMount: &unmasked, Capabilities: &corev1.Capabilities{ - Add: []corev1.Capability{"SETUID", "SETGID"}, + Add: []corev1.Capability{"SETUID", "SETGID", "CHOWN"}, }, }, }, @@ -845,7 +845,7 @@ func TestReconcileDevWorkspaceConfigForContainerCapabilities(t *testing.T) { ContainerSecurityContext: &corev1.SecurityContext{ ProcMount: &unmasked, Capabilities: &corev1.Capabilities{ - Add: []corev1.Capability{"SETUID", "SETGID"}, + Add: []corev1.Capability{"SETUID", "SETGID", "CHOWN"}, }, }, DeploymentStrategy: "Recreate", @@ -961,7 +961,7 @@ func TestReconcileDevWorkspaceConfigForContainerCapabilities(t *testing.T) { ContainerSecurityContext: &corev1.SecurityContext{ ProcMount: &unmasked, Capabilities: &corev1.Capabilities{ - Add: []corev1.Capability{"SETUID", "SETGID"}, + Add: []corev1.Capability{"SETUID", "SETGID", "CHOWN"}, }, }, }, @@ -979,7 +979,7 @@ func TestReconcileDevWorkspaceConfigForContainerCapabilities(t *testing.T) { ContainerSecurityContext: &corev1.SecurityContext{ ProcMount: &unmasked, Capabilities: &corev1.Capabilities{ - Add: []corev1.Capability{"SETUID", "SETGID"}, + Add: []corev1.Capability{"SETUID", "SETGID", "CHOWN"}, }, }, DeploymentStrategy: "Recreate",