Fix/securitycontext runasuser (#1171)

## Fix: Apply Security Context Fields from Agent Spec to Generated Pods

Fixes #1083

### Problem

The kagent controller was not applying `runAsUser` and other security
context fields from the Agent's `deployment.securityContext` and
`deployment.podSecurityContext` to the generated pod specifications.
This caused pods to fail with `CreateContainerConfigError` when
container images have non-numeric users.

**Current Behavior**: Only `runAsNonRoot` and `allowPrivilegeEscalation`
were being applied to pods, while `runAsUser`, `runAsGroup`, `fsGroup`,
and `capabilities` were ignored.

**Expected Behavior**: All security context fields from the Agent spec
should be properly propagated to the pod template.

### Solution

This PR adds support for both pod-level and container-level security
contexts in the Agent API and ensures they are properly propagated to
generated pods and containers.

### Changes Made

#### 1. API Changes (`go/api/v1alpha2/agent_types.go`)
- Added `SecurityContext *corev1.SecurityContext` to
`SharedDeploymentSpec` for container-level security context
- Added `PodSecurityContext *corev1.PodSecurityContext` to
`SharedDeploymentSpec` for pod-level security context

#### 2. Internal Struct Updates
(`go/internal/controller/translator/agent/adk_api_translator.go`)
- Added `SecurityContext` and `PodSecurityContext` fields to the
`resolvedDeployment` struct

#### 3. Resolver Functions
- **`resolveInlineDeployment`**: Now copies `SecurityContext` and
`PodSecurityContext` from the Agent spec
- **`resolveByoDeployment`**: Now copies `SecurityContext` and
`PodSecurityContext` from the Agent spec

#### 4. Manifest Building (`buildManifest` function)
- **Pod-level security context**: `PodSecurityContext` from the Agent
spec is applied to `PodSpec.securityContext`, which includes fields
like:
  - `runAsUser`, `runAsGroup`, `runAsNonRoot`
  - `fsGroup`, `supplementalGroups`
  - `seLinuxOptions`, `seccompProfile`
  
- **Container-level security context**: `SecurityContext` from the Agent
spec is applied to container `SecurityContext`, which includes fields
like:
  - `runAsUser`, `runAsGroup`, `runAsNonRoot`
  - `capabilities`, `allowPrivilegeEscalation`
  - `readOnlyRootFilesystem`, `privileged`
  
- **Sandbox compatibility**: When `needSandbox` is `true` (for skills or
code execution), the `Privileged` flag is set appropriately while
preserving user-provided security context settings

- **Init containers**: Security context is also applied to init
containers (e.g., skills-init container)

#### 5. Code Generation
- Ran `make generate` to update the generated deepcopy methods for the
new fields

### How It Works

1. **Pod-level security context**: The `podSecurityContext` field from
the Agent spec is directly applied to `PodSpec.securityContext`,
affecting all containers in the pod.

2. **Container-level security context**: The `securityContext` field
from the Agent spec is applied to each container's `SecurityContext`.
When sandbox mode is required (for skills or code execution), the
`Privileged` flag is merged with user-provided settings.

3. **Priority**: User-provided security context settings take
precedence, with sandbox requirements merged in when necessary.

### Testing

**Unit Tests**:
- Verified that security context fields are properly copied in resolver
functions
- Confirmed that security context is correctly applied to pod and
container specs in manifest building

**Manual Testing**:
- Verified that pods are created successfully with `runAsUser` specified
(e.g., `runAsUser: 1000`)
- Confirmed that security context fields (`runAsUser`, `runAsGroup`,
`fsGroup`, `capabilities`) are properly applied to both main containers
and init containers
- Tested sandbox mode compatibility (skills and code execution) with
custom security contexts
- Validated that `CreateContainerConfigError` is resolved when container
images have non-numeric users
- Verified that both `podSecurityContext` and `securityContext` from
Agent spec are correctly propagated to pod template

**Code Quality**:
- Ran `make lint` to ensure code style compliance
- All existing tests pass

### Documentation

- API changes are self-documenting through the CRD schema
- No additional documentation updates required as this fixes existing
functionality

### Checklist

- [x] Code follows project style guidelines (Go Code Review Comments)
- [x] Ran `make lint` and fixed any issues
- [x] Ran `make generate` to update generated code
- [x] Changes are tested and verified
- [x] All commits are signed off (DCO)

### Related Issues

- Fixes #1083 - Controller not applying runAsUser from Agent
securityContext to pod containers
- Resolves `CreateContainerConfigError` when container images have
non-numeric users or require specific security context configurations

---------

Signed-off-by: Raghavendiran-2002 <raghavendiran46461@gmail.com>

Author: Raghavendiran-2002

go/api/v1alpha2/agent_types.go

@@ -159,6 +159,10 @@ type SharedDeploymentSpec struct {
 	Affinity *corev1.Affinity `json:"affinity,omitempty"`
 	// +optional
 	NodeSelector map[string]string `json:"nodeSelector,omitempty"`
+	// +optional
+	SecurityContext *corev1.SecurityContext `json:"securityContext,omitempty"`
+	// +optional
+	PodSecurityContext *corev1.PodSecurityContext `json:"podSecurityContext,omitempty"`
 }
 
 // ToolProviderType represents the tool provider type

go/api/v1alpha2/zz_generated.deepcopy.go

@@ -348,6 +348,10 @@ func (a *adkApiTranslator) buildManifest(
 		if insecure {
 			command = append(command, "--insecure")
 		}
+		initContainerSecurityContext := dep.SecurityContext
+		if initContainerSecurityContext != nil {
+			initContainerSecurityContext = initContainerSecurityContext.DeepCopy()
+		}
 		initContainers = append(initContainers, corev1.Container{
 			Name:    "skills-init",
 			Image:   dep.Image,
@@ -356,9 +360,8 @@ func (a *adkApiTranslator) buildManifest(
 			VolumeMounts: []corev1.VolumeMount{
 				{Name: "kagent-skills", MountPath: "/skills"},
 			},
-			Env: []corev1.EnvVar{
-				skillsEnv,
-			},
+			Env:             []corev1.EnvVar{skillsEnv},
+			SecurityContext: initContainerSecurityContext,
 		})
 		volumes = append(volumes, corev1.Volume{
 			Name: "kagent-skills",
@@ -409,12 +412,22 @@ func (a *adkApiTranslator) buildManifest(
 	// Add hash annotations to pod template to force rollout on agent config or model config secret changes
 	podTemplateAnnotations["kagent.dev/config-hash"] = fmt.Sprintf("%d", cfgHash)
 
+	// Merge container security context: start with user-provided, then apply sandbox requirements
 	var securityContext *corev1.SecurityContext
-	if needSandbox {
+	if dep.SecurityContext != nil {
+		// Deep copy the user-provided security context
+		securityContext = dep.SecurityContext.DeepCopy()
+		// If sandbox is needed, ensure Privileged is set (may override user setting)
+		if needSandbox {
+			securityContext.Privileged = ptr.To(true)
+		}
+	} else if needSandbox {
+		// Only create security context if sandbox is needed
 		securityContext = &corev1.SecurityContext{
 			Privileged: ptr.To(true),
 		}
 	}
+	// If neither user-provided securityContext nor sandbox is needed, securityContext remains nil
 
 	deployment := &appsv1.Deployment{
 		TypeMeta:   metav1.TypeMeta{APIVersion: "apps/v1", Kind: "Deployment"},
@@ -434,6 +447,7 @@ func (a *adkApiTranslator) buildManifest(
 				Spec: corev1.PodSpec{
 					ServiceAccountName: agent.Name,
 					ImagePullSecrets:   dep.ImagePullSecrets,
+					SecurityContext:    dep.PodSecurityContext,
 					InitContainers:     initContainers,
 					Containers: []corev1.Container{{
 						Name:            "kagent",
@@ -1163,17 +1177,19 @@ type resolvedDeployment struct {
 	ImagePullPolicy corev1.PullPolicy
 
 	// SharedDeploymentSpec merged
-	Replicas         *int32
-	ImagePullSecrets []corev1.LocalObjectReference
-	Volumes          []corev1.Volume
-	VolumeMounts     []corev1.VolumeMount
-	Labels           map[string]string
-	Annotations      map[string]string
-	Env              []corev1.EnvVar
-	Resources        corev1.ResourceRequirements
-	Tolerations      []corev1.Toleration
-	Affinity         *corev1.Affinity
-	NodeSelector     map[string]string
+	Replicas           *int32
+	ImagePullSecrets   []corev1.LocalObjectReference
+	Volumes            []corev1.Volume
+	VolumeMounts       []corev1.VolumeMount
+	Labels             map[string]string
+	Annotations        map[string]string
+	Env                []corev1.EnvVar
+	Resources          corev1.ResourceRequirements
+	Tolerations        []corev1.Toleration
+	Affinity           *corev1.Affinity
+	NodeSelector       map[string]string
+	SecurityContext    *corev1.SecurityContext
+	PodSecurityContext *corev1.PodSecurityContext
 }
 
 // getDefaultResources sets default resource requirements if not specified
@@ -1241,21 +1257,23 @@ func (a *adkApiTranslator) resolveInlineDeployment(agent *v1alpha2.Agent, mdd *m
 	}
 
 	dep := &resolvedDeployment{
-		Image:            image,
-		Args:             args,
-		Port:             port,
-		ImagePullPolicy:  imagePullPolicy,
-		Replicas:         spec.Replicas,
-		ImagePullSecrets: slices.Clone(spec.ImagePullSecrets),
-		Volumes:          append(slices.Clone(spec.Volumes), mdd.Volumes...),
-		VolumeMounts:     append(slices.Clone(spec.VolumeMounts), mdd.VolumeMounts...),
-		Labels:           getDefaultLabels(agent.Name, spec.Labels),
-		Annotations:      maps.Clone(spec.Annotations),
-		Env:              append(slices.Clone(spec.Env), mdd.EnvVars...),
-		Resources:        getDefaultResources(spec.Resources), // Set default resources if not specified
-		Tolerations:      slices.Clone(spec.Tolerations),
-		Affinity:         spec.Affinity,
-		NodeSelector:     maps.Clone(spec.NodeSelector),
+		Image:              image,
+		Args:               args,
+		Port:               port,
+		ImagePullPolicy:    imagePullPolicy,
+		Replicas:           spec.Replicas,
+		ImagePullSecrets:   slices.Clone(spec.ImagePullSecrets),
+		Volumes:            append(slices.Clone(spec.Volumes), mdd.Volumes...),
+		VolumeMounts:       append(slices.Clone(spec.VolumeMounts), mdd.VolumeMounts...),
+		Labels:             getDefaultLabels(agent.Name, spec.Labels),
+		Annotations:        maps.Clone(spec.Annotations),
+		Env:                append(slices.Clone(spec.Env), mdd.EnvVars...),
+		Resources:          getDefaultResources(spec.Resources), // Set default resources if not specified
+		Tolerations:        slices.Clone(spec.Tolerations),
+		Affinity:           spec.Affinity,
+		NodeSelector:       maps.Clone(spec.NodeSelector),
+		SecurityContext:    spec.SecurityContext,
+		PodSecurityContext: spec.PodSecurityContext,
 	}
 
 	return dep, nil
@@ -1308,22 +1326,24 @@ func (a *adkApiTranslator) resolveByoDeployment(agent *v1alpha2.Agent) (*resolve
 	}
 
 	dep := &resolvedDeployment{
-		Image:            image,
-		Cmd:              cmd,
-		Args:             args,
-		Port:             port,
-		ImagePullPolicy:  imagePullPolicy,
-		Replicas:         replicas,
-		ImagePullSecrets: slices.Clone(spec.ImagePullSecrets),
-		Volumes:          slices.Clone(spec.Volumes),
-		VolumeMounts:     slices.Clone(spec.VolumeMounts),
-		Labels:           getDefaultLabels(agent.Name, spec.Labels),
-		Annotations:      maps.Clone(spec.Annotations),
-		Env:              slices.Clone(spec.Env),
-		Resources:        getDefaultResources(spec.Resources), // Set default resources if not specified
-		Tolerations:      slices.Clone(spec.Tolerations),
-		Affinity:         spec.Affinity,
-		NodeSelector:     maps.Clone(spec.NodeSelector),
+		Image:              image,
+		Cmd:                cmd,
+		Args:               args,
+		Port:               port,
+		ImagePullPolicy:    imagePullPolicy,
+		Replicas:           replicas,
+		ImagePullSecrets:   slices.Clone(spec.ImagePullSecrets),
+		Volumes:            slices.Clone(spec.Volumes),
+		VolumeMounts:       slices.Clone(spec.VolumeMounts),
+		Labels:             getDefaultLabels(agent.Name, spec.Labels),
+		Annotations:        maps.Clone(spec.Annotations),
+		Env:                slices.Clone(spec.Env),
+		Resources:          getDefaultResources(spec.Resources), // Set default resources if not specified
+		Tolerations:        slices.Clone(spec.Tolerations),
+		Affinity:           spec.Affinity,
+		NodeSelector:       maps.Clone(spec.NodeSelector),
+		SecurityContext:    spec.SecurityContext,
+		PodSecurityContext: spec.PodSecurityContext,
 	}
 
 	return dep, nil