Only set container securityContext to a default value if the pod securityContext is also defaulted

Author: rjeberhard

operator/src/main/java/oracle/kubernetes/operator/helpers/JobStepContext.java

@@ -1,4 +1,4 @@
-// Copyright (c) 2018, 2024, Oracle and/or its affiliates.
+// Copyright (c) 2018, 2025, Oracle and/or its affiliates.
 // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 
 package oracle.kubernetes.operator.helpers;
@@ -513,6 +513,9 @@ V1SecurityContext getInitContainerSecurityContext() {
     if (isInitDomainOnPVRunAsRoot()) {
       return new V1SecurityContext().runAsGroup(0L).runAsUser(0L);
     }
+    if (getServerSpec().getContainerSecurityContext() != null) {
+      return getServerSpec().getContainerSecurityContext();
+    }
     if (getPodSecurityContext().equals(PodSecurityHelper.getDefaultPodSecurityContext())) {
       return PodSecurityHelper.getDefaultContainerSecurityContext();
     }

operator/src/main/java/oracle/kubernetes/operator/helpers/PodHelper.java

@@ -1,4 +1,4 @@
-// Copyright (c) 2017, 2023, Oracle and/or its affiliates.
+// Copyright (c) 2017, 2025, Oracle and/or its affiliates.
 // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 
 package oracle.kubernetes.operator.helpers;
@@ -572,6 +572,9 @@ EffectiveServerSpec getServerSpec() {
 
     @Override
     V1SecurityContext getInitContainerSecurityContext() {
+      if (getServerSpec().getContainerSecurityContext() != null) {
+        return getServerSpec().getContainerSecurityContext();
+      }
       if (getPodSecurityContext().equals(PodSecurityHelper.getDefaultPodSecurityContext())) {
         return PodSecurityHelper.getDefaultContainerSecurityContext();
       }
@@ -858,6 +861,9 @@ protected List<String> getContainerCommand() {
 
     @Override
     V1SecurityContext getInitContainerSecurityContext() {
+      if (getServerSpec().getContainerSecurityContext() != null) {
+        return getServerSpec().getContainerSecurityContext();
+      }
       if (getPodSecurityContext().equals(PodSecurityHelper.getDefaultPodSecurityContext())) {
         return PodSecurityHelper.getDefaultContainerSecurityContext();
       }

operator/src/main/java/oracle/kubernetes/weblogic/domain/model/BaseConfiguration.java

@@ -1,4 +1,4 @@
-// Copyright (c) 2018, 2024, Oracle and/or its affiliates.
+// Copyright (c) 2018, 2025, Oracle and/or its affiliates.
 // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 
 package oracle.kubernetes.weblogic.domain.model;
@@ -298,7 +298,13 @@ void setPodSecurityContext(V1PodSecurityContext podSecurityContext) {
   }
 
   V1SecurityContext getContainerSecurityContext() {
-    return Optional.ofNullable(serverPod.getContainerSecurityContext()).orElse(getDefaultContainerSecurityContext());
+    return Optional.ofNullable(serverPod.getContainerSecurityContext())
+      .orElseGet(() -> {
+        if (serverPod.getPodSecurityContext() == null) {
+          return getDefaultContainerSecurityContext();
+        }
+        return null;
+      });
   }
 
   void setContainerSecurityContext(V1SecurityContext containerSecurityContext) {

operator/src/test/java/oracle/kubernetes/weblogic/domain/model/DomainV2Test.java

@@ -1,4 +1,4 @@
-// Copyright (c) 2018, 2024, Oracle and/or its affiliates.
+// Copyright (c) 2018, 2025, Oracle and/or its affiliates.
 // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 
 package oracle.kubernetes.weblogic.domain.model;
@@ -631,6 +631,26 @@ private void configureDomainWithPodSecurityContext(DomainResource domain) {
     configureAdminServer().withPodSecurityContext(new V1PodSecurityContext().runAsNonRoot(false));
   }
 
+  @Test
+  void whenDefaultContainerSecurityContextConfiguredOnManagedServer() {
+    V1SecurityContext ms1ContainerSecSpec =
+        info.getServer(SERVER1, CLUSTER_NAME).getContainerSecurityContext();
+
+    assertThat(ms1ContainerSecSpec.getRunAsNonRoot(), is(true));
+    assertThat(ms1ContainerSecSpec.getPrivileged(), is(false));
+    assertThat(ms1ContainerSecSpec.getAllowPrivilegeEscalation(), is(false));
+    assertThat(ms1ContainerSecSpec.getCapabilities().getDrop(), contains("ALL"));
+  }
+
+  @Test
+  void whenPodSecurityContextConfiguredNoDefaultContainerSecurityContextOnManagedServer() {
+    configureDomainWithPodSecurityContext(domain);
+    V1SecurityContext ms1ContainerSecSpec =
+        info.getServer(SERVER1, CLUSTER_NAME).getContainerSecurityContext();
+
+    assertThat(ms1ContainerSecSpec, nullValue());
+  }
+
   @Test
   void whenContainerSecurityContextConfiguredOnManagedServerOverrideClusterAndDomain() {
     configureDomainWithContainerSecurityContext(domain);