feat: add configurable field-level restrictions for container and pod overrides

[tolusha]

What does this PR do?

This PR adds a configurable restriction system for container-overrides and pod-overrides DevWorkspace attributes. Cluster admins can define deny rules in DevWorkspaceOperatorConfig to block specific fields (e.g.
hostNetwork, securityContext.privileged) or specific values (e.g. restartPolicy=Always) from being set via overrides. On Kubernetes, security-sensitive defaults are denied out of the box — such as privileged containers,
running as root, host networking, and hostPath volumes — to match the restrictions that OpenShift enforces natively via SCCs

What issues does this PR fix or reference?

N/A

Is it tested? How?

Create a DevWorkspace with container-overrides, for instance:

attributes:
  container-overrides:
    securityContext: {privileged: true}

PR Checklist

• E2E tests pass (when PR is ready, comment /test v8-devworkspace-operator-e2e, v8-che-happy-path to trigger)
  • v8-devworkspace-operator-e2e: DevWorkspace e2e test
  • v8-che-happy-path: Happy path for verification integration with Che

Summary by CodeRabbit

Release Notes

• New Features

  • Added support for restricting which fields can be set via DevWorkspace container-overrides and pod-overrides.
  • Administrators can configure allowed/restricted lists using DevWorkspaceOperatorConfig.spec.config.overrides, with restrictedContainerOverrideFields and restrictedPodOverrideFields.
  • Restrictions are now enforced during devfile-to-workload translation, including applying overrides and rewriting container volume mounts.

• Documentation

  • Updated override-field restriction guidance, including always-restricted fields, supported formats, and Kubernetes vs OpenShift default behavior.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: tolusha
Once this PR has been reviewed and has the lgtm label, please assign dkwon17 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Warning

Review limit reached

@tolusha, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 3 minutes and 7 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more credits in the billing tab to continue.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4081dfb8-25c5-407f-9de3-b91bc36e13f1

📥 Commits

Reviewing files that changed from the base of the PR and between 5304a6c and 33d89bf.

📒 Files selected for processing (2)

• pkg/library/overrides/container_restrictions.go
• pkg/library/overrides/pod_restrictions.go

📝 Walkthrough

Walkthrough

Introduces a configurable OverrideConfig type with RestrictedContainerOverrideFields and RestrictedPodOverrideFields slices on WorkspaceConfig. Adds a FieldRestriction rules engine, container and pod restriction validators with dot-path traversal, platform-specific defaults (Kubernetes restricts securityContext fields; OpenShift restricts none), and threads the restricted-field lists through the reconciler, override library, and storage provisioners.

Changes

Configurable Override Field Restriction

Layer / File(s)	Summary
OverrideConfig type, deepcopy, and CRD manifests apis/controller/v1alpha1/devworkspaceoperatorconfig_types.go, apis/controller/v1alpha1/zz_generated.deepcopy.go, deploy/bundle/manifests/..., deploy/deployment/kubernetes/..., deploy/deployment/openshift/..., deploy/templates/crd/bases/...	OverrideConfig struct with RestrictedContainerOverrideFields/RestrictedPodOverrideFields added to WorkspaceConfig; deepcopy methods generated; all CRD and deployment YAML manifests updated with the new overrides schema object.
FieldRestriction rules engine and config accessors pkg/library/overrides/restrictions.go	FieldRestriction struct with typed check helpers (string pointer, bool pointer, int32/int64, any-value), checkResources/checkResourceList/checkContainerResourceClaims, and exported GetRestrictedContainerOverrideFields/GetRestrictedPodOverrideFields accessors reading from workspace config.
Container restriction validator and ApplyContainerOverrides wiring pkg/library/overrides/container_restrictions.go, pkg/library/overrides/containers.go, pkg/library/overrides/containers_test.go, pkg/library/overrides/container_restrictions_test.go, pkg/library/overrides/testdata/container-overrides/*	restrictContainerOverride validates top-level container fields, envFrom, volumeMounts, volumeDevices, securityContext, and capabilities against restrictedFields using dot-path traversal. ApplyContainerOverrides gains restrictedFields []string parameter; old hardcoded restriction removed. Comprehensive table-driven tests and fixture updated.
Pod restriction validator and pods.go wiring pkg/library/overrides/pod_restrictions.go, pkg/library/overrides/pods.go, pkg/library/overrides/pod_restrictions_test.go	restrictPodOverride validates containers/initContainers guard, volumes with volumeSourceType matching, securityContext, resource claims, imagePullSecrets, and overhead. pods.go threads restrictedFields through getPodOverrides and GetVolumesFromOverrides. Table-driven tests cover many PodSpec fields and unknown-field stripping.
Platform defaults, mergeConfig, and config initialization pkg/config/defaults.go, pkg/config/sync.go, pkg/config/common_test.go	Kubernetes and OpenShift default OverrideConfig values defined; setDefaultOverrideConfig() selects between them. SetupControllerConfig and SetGlobalConfigForTesting call it. mergeConfig copies restricted field lists; GetCurrentConfigString emits them as diff entries.
Controller and storage call-site wiring controllers/workspace/devworkspace_controller.go, pkg/library/container/container.go, pkg/library/container/container_test.go, pkg/provision/storage/commonStorage.go, pkg/provision/storage/perWorkspaceStorage.go	GetKubeContainersFromDevfile gains restrictedFields []string and passes it to ApplyContainerOverrides for main and init containers. Both ProvisionStorage implementations pass GetRestrictedPodOverrideFields(workspace) into rewriteContainerVolumeMounts → GetVolumesFromOverrides.
Documentation: Restricting override fields docs/dwo-configuration.md	New "Always-restricted override fields" and "Restricting override fields" sections covering restriction syntax, dot-notation, platform defaults, replace-all semantics, Kubernetes bool field limitation, and example YAML for both container and pod overrides.

Sequence Diagram(s)

sequenceDiagram
  rect rgba(70, 130, 180, 0.5)
    Note over Reconcile,ApplyContainerOverrides: Container override path
    Reconcile->>GetKubeContainersFromDevfile: GetRestrictedContainerOverrideFields
    GetKubeContainersFromDevfile->>ApplyContainerOverrides: restrictedFields
    ApplyContainerOverrides->>restrictContainerOverride: override, restrictedFields
    restrictContainerOverride-->>ApplyContainerOverrides: error or nil
  end
  rect rgba(60, 179, 113, 0.5)
    Note over ProvisionStorage,GetVolumesFromOverrides: Pod override and storage path
    ProvisionStorage->>rewriteContainerVolumeMounts: GetRestrictedPodOverrideFields
    rewriteContainerVolumeMounts->>GetVolumesFromOverrides: workspace, restrictedFields
    GetVolumesFromOverrides->>restrictPodOverride: &override.Spec, restrictedFields
    restrictPodOverride-->>ProvisionStorage: error or nil
  end

Loading

Estimated code review effort

🎯 5 (Critical) | ⏱️ ~130 minutes

Suggested reviewers

• ibuziuk
• dkwon17
• rohanKanojia

Poem

🐇 A bunny hopped through fields of YAML so wide,
Restricting what containers dare override.
With dot-paths and slices of strings held tight,
No securityContext sneaks past without right.
The operator config now guards the gate —
Both Kube and OpenShift can set their own fate! 🌿

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 5.56% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely describes the main feature: adding configurable field-level restrictions for container and pod overrides in DevWorkspace.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch overriderestrictions

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[tolusha]

Hi! I'm che-ai-assistant — I help with your pull requests.

Available commands:

• /che-ai-assistant generate-che-doc — Generate a documentation PR based on this PR's changes
• /che-ai-assistant ok-pr-review — Run a comprehensive PR review (summary, code review, deep review, impact analysis)
• /che-ai-assistant help — Show this help message

[dkwon17]

For container_restrictions.go and pod_restriction.go, I am a bit concerned because we are calling checkString(<field>) for so many container/pod fields.

Have you considered iterating over the fields in DeniedContainerOverrideFields and DeniedPodOverrideFields and checking if those fields exist in the container/pod instead?

Please correct me if I'm wrong but it seems like this PR is checking this the other way around (going over all possible container/pod fields, and checking DeniedContainerOverrideFields/DeniedPodOverrideFields)

[tolusha]

Have you considered iterating over the fields in DeniedContainerOverrideFields and DeniedPodOverrideFields and checking if those fields exist in the container/pod instead?

It is a way complicated

[tolusha]

Done

[codecov]

Codecov Report

❌ Patch coverage is 80.12739% with 156 lines in your changes missing coverage. Please review.
✅ Project coverage is 40.52%. Comparing base (17aefae) to head (16116d3).
⚠️ Report is 6 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/library/overrides/pod_restrictions.go	78.80%	67 Missing and 4 partials ⚠️
pkg/library/overrides/container_restrictions.go	88.41%	22 Missing and 8 partials ⚠️
apis/controller/v1alpha1/zz_generated.deepcopy.go	0.00%	24 Missing ⚠️
pkg/library/overrides/restrictions.go	84.61%	13 Missing and 3 partials ⚠️
pkg/library/overrides/pods.go	25.00%	4 Missing and 2 partials ⚠️
pkg/config/sync.go	80.95%	3 Missing and 1 partial ⚠️
pkg/config/defaults.go	70.00%	2 Missing and 1 partial ⚠️
pkg/library/container/container.go	0.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1653      +/-   ##
==========================================
+ Coverage   37.17%   40.52%   +3.34%     
==========================================
  Files         168      171       +3     
  Lines       14761    15621     +860     
==========================================
+ Hits         5488     6330     +842     
+ Misses       8921     8906      -15     
- Partials      352      385      +33     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[tolusha]

/che-ai-assistant ok-pr-review

Review is complete. Please check the review comments below.

[tolusha]

Code Review Summary

Overall Assessment: Solid implementation of a security-critical feature with excellent test coverage. The restriction system is well-architected with proper defense-in-depth.

Key Highlights:
✅ 2700+ lines of comprehensive test coverage
✅ Security-first Kubernetes defaults aligned with Pod Security Standards
✅ Clean FieldRestriction abstraction with typed check methods
✅ Platform awareness (K8s vs OpenShift defaults)
✅ Defense-in-depth with always-restricted + configurable fields

Primary Concern: Breaking behavioral change on Kubernetes requires release notes and migration guide before merge (see inline comment on defaults.go).

The inline comments below provide specific suggestions for improvements.

[tolusha]

Breaking change: Release notes and migration guide required

The new Kubernetes default restrictions will cause existing DevWorkspaces using security-sensitive overrides to fail after operator upgrade. Any workspace with securityContext.privileged=true, hostNetwork=true, or volumes.hostPath will fail to start.

Required before merge:

• Release notes documenting this breaking change
• Migration guide with two paths:
  1. Set restrictedContainerOverrideFields: [] and restrictedPodOverrideFields: [] in DevWorkspaceOperatorConfig to restore pre-upgrade behavior
  2. Remove restricted overrides from DevWorkspaces before upgrade
• Consider logging a warning when a workspace fails due to new default restrictions

[dkwon17]

Can we add a log message in the cases where the root/remaining is not matched by the case statements?

[dkwon17]

Can we add a log message in the cases where the root/remaining is not matched by the case statements?

[dkwon17]

Tested and LGTM, just a comment