fix(nodeimage): add SecurityContext to image creation and monitor containers

[dronenb]

Fixes #2138

[coderabbitai]

Walkthrough

Adds SecurityContext configurations to the node-joiner and node-joiner-monitor containers in the oc adm node-image command's pod specifications. Both containers now enforce non-root execution, disallow privilege escalation, and drop all default capabilities.

Changes

Cohort / File(s)	Change Summary
Security context enforcement pkg/cli/admin/nodeimage/create.go, pkg/cli/admin/nodeimage/monitor.go	Adds SecurityContext to container specs with AllowPrivilegeEscalation: false, RunAsNonRoot: true, and Capabilities.Drop: ["ALL"]

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

• Changes are localized to two files with identical security context configurations applied consistently across both containers.
• No logic changes, control flow modifications, or new functionality introduced.

Assessment against linked issues

Objective	Addressed	Explanation
Set SecurityContext on node-joiner container in create command [#2138]	✅
Set SecurityContext on node-joiner-monitor container in monitor command [#2138]	✅

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Hi @dronenb. Thanks for your PR.

I'm waiting for a github.com member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

pkg/cli/admin/nodeimage/monitor.go (1)

290-296: LGTM! Security context correctly addresses PodSecurity violations.

The SecurityContext configuration properly satisfies the "restricted:latest" PodSecurity requirements identified in issue #2138. All three mandatory fields are present.

Consider extracting the identical SecurityContext configuration shared with create.go (lines 748-754) into a common helper function to reduce duplication.

Optionally, the boolean pointer pattern &[]bool{false}[0] could be replaced with more idiomatic Go:

SecurityContext: &corev1.SecurityContext{
    AllowPrivilegeEscalation: ptr.To(false),
    RunAsNonRoot:             ptr.To(true),
    Capabilities: &corev1.Capabilities{
        Drop: []corev1.Capability{"ALL"},
    },
},

This requires importing k8s.io/utils/ptr.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 1c5f490 and 9318d57.

📒 Files selected for processing (2)

• pkg/cli/admin/nodeimage/create.go (1 hunks)
• pkg/cli/admin/nodeimage/monitor.go (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• pkg/cli/admin/nodeimage/create.go
• pkg/cli/admin/nodeimage/monitor.go

🔇 Additional comments (1)

pkg/cli/admin/nodeimage/create.go (1)

748-754: LGTM! Security context matches monitor.go implementation.

The SecurityContext correctly addresses the PodSecurity violations for the node-joiner container. See the review comment on monitor.go lines 290-296 for suggested refactors regarding code duplication and the boolean pointer pattern.

[zaneb]

/ok-to-test
/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dronenb, zaneb

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• pkg/cli/admin/nodeimage/OWNERS [zaneb]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[zaneb]

/test e2e-agent-compact-ipv4

[openshift-ci]

@dronenb: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-ovn-serial-2of2	9318d57	link	true	/test e2e-aws-ovn-serial-2of2
ci/prow/e2e-aws-ovn-serial-1of2	9318d57	link	true	/test e2e-aws-ovn-serial-1of2
ci/prow/e2e-agent-compact-ipv4	9318d57	link	false	/test e2e-agent-compact-ipv4

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.