From f16062c7934ec2cb71c4a84e38b42d2978fceb45 Mon Sep 17 00:00:00 2001
From: yetone <yetoneful@gmail.com>
Date: Tue, 6 Dec 2022 10:00:23 +0000
Subject: [PATCH] feat: support container security context

---
 controllers/bentodeployment_controller.go | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/controllers/bentodeployment_controller.go b/controllers/bentodeployment_controller.go
index d6a3aa5..5b5417b 100644
--- a/controllers/bentodeployment_controller.go
+++ b/controllers/bentodeployment_controller.go
@@ -1614,6 +1614,29 @@ func (r *BentoDeploymentReconciler) generatePodTemplateSpec(ctx context.Context,
 		},
 	}
 
+	if resourceAnnotations["yatai.ai/enable-container-privileged"] == consts.KubeLabelTrue {
+		if container.SecurityContext == nil {
+			container.SecurityContext = &corev1.SecurityContext{}
+		}
+		container.SecurityContext.Privileged = &[]bool{true}[0]
+	}
+
+	if resourceAnnotations["yatai.ai/enable-container-ptrace"] == consts.KubeLabelTrue {
+		if container.SecurityContext == nil {
+			container.SecurityContext = &corev1.SecurityContext{}
+		}
+		container.SecurityContext.Capabilities = &corev1.Capabilities{
+			Add: []corev1.Capability{"SYS_PTRACE"},
+		}
+	}
+
+	if resourceAnnotations["yatai.ai/run-container-as-root"] == consts.KubeLabelTrue {
+		if container.SecurityContext == nil {
+			container.SecurityContext = &corev1.SecurityContext{}
+		}
+		container.SecurityContext.RunAsUser = &[]int64{0}[0]
+	}
+
 	containers = append(containers, container)
 
 	metricsPort := containerPort + 1