ROX-32636: Set allowPrivilegeEscalation for empty securityContext

[kurlov]

Description

Container.SecurityContext might be nil and allowPrivilegeEscalation should be set to true explicitly for such cases. Otherwise allowPrivilegeEscalation policy will not trigger on container without securityContext. See example in the ticket description.

User-facing documentation

• CHANGELOG.md is updated OR update is not needed
• documentation PR is created and is linked above OR is not needed

Testing and quality

• the change is production ready: the change is GA, or otherwise the functionality is gated by a feature flag
• CI results are inspected

Automated testing

• added unit tests
• added e2e tests
• added regression tests
• added compatibility tests
• modified existing tests

How I validated my change

Added unit test

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[rhacs-bot]

Images are ready for the commit at 566a083.

To use with deploy scripts, first export MAIN_IMAGE_TAG=4.10.x-766-g566a083b7e.

[sourcery-ai]

Hey - I've left some high level feedback:

• In the tests where defaultSecurityContext is shared across multiple containers, consider creating a fresh &storage.SecurityContext{AllowPrivilegeEscalation: true} per container instead of reusing a single pointer to avoid subtle coupling if tests or code ever mutate the security context.
• In TestSecurityContext, the conditional reassignment of AllowPrivilegeEscalation after initializing spec := v1.PodSpec{Containers: []v1.Container{{SecurityContext: testCase.securityContext}}} is redundant and can be removed, since the test cases already fully define the SecurityContext instances.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- In the tests where `defaultSecurityContext` is shared across multiple containers, consider creating a fresh `&storage.SecurityContext{AllowPrivilegeEscalation: true}` per container instead of reusing a single pointer to avoid subtle coupling if tests or code ever mutate the security context.
- In `TestSecurityContext`, the conditional reassignment of `AllowPrivilegeEscalation` after initializing `spec := v1.PodSpec{Containers: []v1.Container{{SecurityContext: testCase.securityContext}}}` is redundant and can be removed, since the test cases already fully define the `SecurityContext` instances.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 48.92%. Comparing base (e358b34) to head (566a083).
⚠️ Report is 24 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #18468      +/-   ##
==========================================
- Coverage   48.92%   48.92%   -0.01%     
==========================================
  Files        2629     2633       +4     
  Lines      197814   197988     +174     
==========================================
+ Hits        96786    96871      +85     
- Misses      93644    93728      +84     
- Partials     7384     7389       +5     

Flag	Coverage Δ
go-unit-tests	48.92% <100.00%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[clickboo]

Left a comment.