Custom runtime class and security context (#742)

* Add experimental runtimeClass and securityContext to spec Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2026-05-09 19:06:45 +00:00 · 2026-04-09 10:22:46 +02:00
parent 1808926d44
commit 96d812a3cb
10 changed files with 724 additions and 6 deletions
--- a/pkg/controller/cluster/agent/shared.go
+++ b/pkg/controller/cluster/agent/shared.go
@@ -236,6 +236,23 @@ func (s *SharedAgent) podSpec(ctx context.Context) v1.PodSpec {
 		podSpec.ImagePullSecrets = append(podSpec.ImagePullSecrets, v1.LocalObjectReference{Name: imagePullSecret})
 	}

+	securityContext := s.cluster.Spec.SecurityContext
+	if s.cluster.Status.Policy != nil && s.cluster.Status.Policy.SecurityContext != nil {
+		log.V(1).Info("Using securityContext configuration from policy", "policyName", s.cluster.Status.PolicyName, "clusterName", s.cluster.Name)
+		securityContext = s.cluster.Status.Policy.SecurityContext
+	}
+
+	if securityContext != nil {
+		podSpec.Containers[0].SecurityContext = securityContext
+	}
+
+	runtimeClassName := s.cluster.Spec.RuntimeClassName
+	if s.cluster.Status.Policy != nil && s.cluster.Status.Policy.RuntimeClassName != nil {
+		log.V(1).Info("Using runtimeClassName from policy", "policyName", s.cluster.Status.PolicyName, "clusterName", s.cluster.Name)
+		runtimeClassName = s.cluster.Status.Policy.RuntimeClassName
+	}
+
+	podSpec.RuntimeClassName = runtimeClassName
 	return podSpec
 }

--- a/pkg/controller/cluster/agent/virtual.go
+++ b/pkg/controller/cluster/agent/virtual.go
@@ -272,5 +272,23 @@ func (v *VirtualAgent) podSpec(ctx context.Context, image, name string) v1.PodSp
 		podSpec.ImagePullSecrets = append(podSpec.ImagePullSecrets, v1.LocalObjectReference{Name: imagePullSecret})
 	}

+	securityContext := v.cluster.Spec.SecurityContext
+	if v.cluster.Status.Policy != nil && v.cluster.Status.Policy.SecurityContext != nil {
+		log.V(1).Info("Using securityContext configuration from policy", "policyName", v.cluster.Status.PolicyName, "clusterName", v.cluster.Name)
+		securityContext = v.cluster.Status.Policy.SecurityContext
+	}
+
+	if securityContext != nil {
+		podSpec.Containers[0].SecurityContext = securityContext
+	}
+
+	runtimeClassName := v.cluster.Spec.RuntimeClassName
+	if v.cluster.Status.Policy != nil && v.cluster.Status.Policy.RuntimeClassName != nil {
+		log.V(1).Info("Using runtimeClassName from policy", "policyName", v.cluster.Status.PolicyName, "clusterName", v.cluster.Name)
+		runtimeClassName = v.cluster.Status.Policy.RuntimeClassName
+	}
+
+	podSpec.RuntimeClassName = runtimeClassName
+
 	return podSpec
 }
--- a/pkg/controller/cluster/server/server.go
+++ b/pkg/controller/cluster/server/server.go
@@ -246,6 +246,24 @@ func (s *Server) podSpec(ctx context.Context, image, name string, persistent boo
 		}
 	}

+	securityContext := s.cluster.Spec.SecurityContext
+	if s.cluster.Status.Policy != nil && s.cluster.Status.Policy.SecurityContext != nil {
+		log.V(1).Info("Using securityContext configuration from policy", "policyName", s.cluster.Status.PolicyName, "clusterName", s.cluster.Name)
+		securityContext = s.cluster.Status.Policy.SecurityContext
+	}
+
+	if securityContext != nil {
+		podSpec.Containers[0].SecurityContext = securityContext
+	}
+
+	runtimeClassName := s.cluster.Spec.RuntimeClassName
+	if s.cluster.Status.Policy != nil && s.cluster.Status.Policy.RuntimeClassName != nil {
+		log.V(1).Info("Using runtimeClassName from policy", "policyName", s.cluster.Status.PolicyName, "clusterName", s.cluster.Name)
+		runtimeClassName = s.cluster.Status.Policy.RuntimeClassName
+	}
+
+	podSpec.RuntimeClassName = runtimeClassName
+
 	// specify resource limits if specified for the servers.
 	if s.cluster.Spec.ServerLimit != nil {
 		podSpec.Containers[0].Resources = v1.ResourceRequirements{
--- a/pkg/controller/policy/policy.go
+++ b/pkg/controller/policy/policy.go
@@ -473,12 +473,14 @@ func (c *VirtualClusterPolicyReconciler) reconcileClusters(ctx context.Context,
 		origStatus := cluster.Status.DeepCopy()

 		cluster.Status.Policy = &v1beta1.AppliedPolicy{
-			Name:           policy.Name,
-			PriorityClass:  &policy.Spec.DefaultPriorityClass,
-			NodeSelector:   policy.Spec.DefaultNodeSelector,
-			Sync:           policy.Spec.Sync,
-			ServerAffinity: policy.Spec.DefaultServerAffinity,
-			AgentAffinity:  policy.Spec.DefaultAgentAffinity,
+			Name:             policy.Name,
+			PriorityClass:    &policy.Spec.DefaultPriorityClass,
+			NodeSelector:     policy.Spec.DefaultNodeSelector,
+			Sync:             policy.Spec.Sync,
+			ServerAffinity:   policy.Spec.DefaultServerAffinity,
+			AgentAffinity:    policy.Spec.DefaultAgentAffinity,
+			SecurityContext:  policy.Spec.SecurityContext,
+			RuntimeClassName: policy.Spec.RuntimeClassName,
 		}

 		if !reflect.DeepEqual(origStatus, &cluster.Status) {