feat: add configurable field-level restrictions for container and pod overrides by tolusha · Pull Request #1653 · devfile/devworkspace-operator

tolusha · 2026-06-19T13:13:20Z

What does this PR do?

This PR adds a configurable restriction system for container-overrides and pod-overrides DevWorkspace attributes. Cluster admins can define deny rules in DevWorkspaceOperatorConfig to block specific fields (e.g.
hostNetwork, securityContext.privileged) or specific values (e.g. restartPolicy=Always) from being set via overrides. On Kubernetes, security-sensitive defaults are denied out of the box — such as privileged containers,
running as root, host networking, and hostPath volumes — to match the restrictions that OpenShift enforces natively via SCCs

What issues does this PR fix or reference?

N/A

Is it tested? How?

Create a DevWorkspace with container-overrides, for instance:

attributes:
  container-overrides:
    securityContext: {privileged: true}

PR Checklist

E2E tests pass (when PR is ready, comment /test v8-devworkspace-operator-e2e, v8-che-happy-path to trigger)
- v8-devworkspace-operator-e2e: DevWorkspace e2e test
- v8-che-happy-path: Happy path for verification integration with Che

Summary by CodeRabbit

Release Notes

New Features
- Added support for restricting which fields can be set via DevWorkspace container-overrides and pod-overrides.
- Administrators can configure allowed/restricted lists using DevWorkspaceOperatorConfig.spec.config.overrides, with restrictedContainerOverrideFields and restrictedPodOverrideFields.
- Restrictions are now enforced during devfile-to-workload translation, including applying overrides and rewriting container volume mounts.
Documentation
- Updated override-field restriction guidance, including always-restricted fields, supported formats, and Kubernetes vs OpenShift default behavior.

coderabbitai · 2026-06-19T13:13:38Z

Warning

Review limit reached

@tolusha, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 3 minutes and 7 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more credits in the billing tab to continue.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4081dfb8-25c5-407f-9de3-b91bc36e13f1

📥 Commits

Reviewing files that changed from the base of the PR and between 5304a6c and 33d89bf.

📒 Files selected for processing (2)

pkg/library/overrides/container_restrictions.go
pkg/library/overrides/pod_restrictions.go

📝 Walkthrough

Walkthrough

Introduces a configurable OverrideConfig type with RestrictedContainerOverrideFields and RestrictedPodOverrideFields slices on WorkspaceConfig. Adds a FieldRestriction rules engine, container and pod restriction validators with dot-path traversal, platform-specific defaults (Kubernetes restricts securityContext fields; OpenShift restricts none), and threads the restricted-field lists through the reconciler, override library, and storage provisioners.

Changes

Configurable Override Field Restriction

Layer / File(s)	Summary
OverrideConfig type, deepcopy, and CRD manifests `apis/controller/v1alpha1/devworkspaceoperatorconfig_types.go`, `apis/controller/v1alpha1/zz_generated.deepcopy.go`, `deploy/bundle/manifests/...`, `deploy/deployment/kubernetes/...`, `deploy/deployment/openshift/...`, `deploy/templates/crd/bases/...`	`OverrideConfig` struct with `RestrictedContainerOverrideFields`/`RestrictedPodOverrideFields` added to `WorkspaceConfig`; deepcopy methods generated; all CRD and deployment YAML manifests updated with the new `overrides` schema object.
FieldRestriction rules engine and config accessors `pkg/library/overrides/restrictions.go`	`FieldRestriction` struct with typed check helpers (string pointer, bool pointer, int32/int64, any-value), `checkResources`/`checkResourceList`/`checkContainerResourceClaims`, and exported `GetRestrictedContainerOverrideFields`/`GetRestrictedPodOverrideFields` accessors reading from workspace config.
Container restriction validator and ApplyContainerOverrides wiring `pkg/library/overrides/container_restrictions.go`, `pkg/library/overrides/containers.go`, `pkg/library/overrides/containers_test.go`, `pkg/library/overrides/container_restrictions_test.go`, `pkg/library/overrides/testdata/container-overrides/*`	`restrictContainerOverride` validates top-level container fields, envFrom, volumeMounts, volumeDevices, securityContext, and capabilities against `restrictedFields` using dot-path traversal. `ApplyContainerOverrides` gains `restrictedFields []string` parameter; old hardcoded restriction removed. Comprehensive table-driven tests and fixture updated.
Pod restriction validator and pods.go wiring `pkg/library/overrides/pod_restrictions.go`, `pkg/library/overrides/pods.go`, `pkg/library/overrides/pod_restrictions_test.go`	`restrictPodOverride` validates containers/initContainers guard, volumes with volumeSourceType matching, securityContext, resource claims, imagePullSecrets, and overhead. `pods.go` threads `restrictedFields` through `getPodOverrides` and `GetVolumesFromOverrides`. Table-driven tests cover many PodSpec fields and unknown-field stripping.
Platform defaults, mergeConfig, and config initialization `pkg/config/defaults.go`, `pkg/config/sync.go`, `pkg/config/common_test.go`	Kubernetes and OpenShift default `OverrideConfig` values defined; `setDefaultOverrideConfig()` selects between them. `SetupControllerConfig` and `SetGlobalConfigForTesting` call it. `mergeConfig` copies restricted field lists; `GetCurrentConfigString` emits them as diff entries.
Controller and storage call-site wiring `controllers/workspace/devworkspace_controller.go`, `pkg/library/container/container.go`, `pkg/library/container/container_test.go`, `pkg/provision/storage/commonStorage.go`, `pkg/provision/storage/perWorkspaceStorage.go`	`GetKubeContainersFromDevfile` gains `restrictedFields []string` and passes it to `ApplyContainerOverrides` for main and init containers. Both `ProvisionStorage` implementations pass `GetRestrictedPodOverrideFields(workspace)` into `rewriteContainerVolumeMounts` → `GetVolumesFromOverrides`.
Documentation: Restricting override fields `docs/dwo-configuration.md`	New "Always-restricted override fields" and "Restricting override fields" sections covering restriction syntax, dot-notation, platform defaults, replace-all semantics, Kubernetes bool field limitation, and example YAML for both container and pod overrides.

Sequence Diagram(s)

sequenceDiagram
  rect rgba(70, 130, 180, 0.5)
    Note over Reconcile,ApplyContainerOverrides: Container override path
    Reconcile->>GetKubeContainersFromDevfile: GetRestrictedContainerOverrideFields
    GetKubeContainersFromDevfile->>ApplyContainerOverrides: restrictedFields
    ApplyContainerOverrides->>restrictContainerOverride: override, restrictedFields
    restrictContainerOverride-->>ApplyContainerOverrides: error or nil
  end
  rect rgba(60, 179, 113, 0.5)
    Note over ProvisionStorage,GetVolumesFromOverrides: Pod override and storage path
    ProvisionStorage->>rewriteContainerVolumeMounts: GetRestrictedPodOverrideFields
    rewriteContainerVolumeMounts->>GetVolumesFromOverrides: workspace, restrictedFields
    GetVolumesFromOverrides->>restrictPodOverride: &override.Spec, restrictedFields
    restrictPodOverride-->>ProvisionStorage: error or nil
  end

Estimated code review effort

🎯 5 (Critical) | ⏱️ ~130 minutes

Suggested reviewers

ibuziuk
dkwon17
rohanKanojia

Poem

🐇 A bunny hopped through fields of YAML so wide,
Restricting what containers dare override.
With dot-paths and slices of strings held tight,
No securityContext sneaks past without right.
The operator config now guards the gate —
Both Kube and OpenShift can set their own fate! 🌿

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 5.56% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely describes the main feature: adding configurable field-level restrictions for container and pod overrides in DevWorkspace.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests
Commit unit tests in branch overriderestrictions

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

tolusha · 2026-06-19T13:15:36Z

Hi! I'm che-ai-assistant — I help with your pull requests.

Available commands:

/che-ai-assistant generate-che-doc — Generate a documentation PR based on this PR's changes
/che-ai-assistant ok-pr-review — Run a comprehensive PR review (summary, code review, deep review, impact analysis)
/che-ai-assistant help — Show this help message

dkwon17 · 2026-06-19T15:55:16Z

+			return err
+		}
+	}
+	if err := rules.checkString("terminationMessagePath", &override.TerminationMessagePath); err != nil {


For container_restrictions.go and pod_restriction.go, I am a bit concerned because we are calling checkString(<field>) for so many container/pod fields.

Have you considered iterating over the fields in DeniedContainerOverrideFields and DeniedPodOverrideFields and checking if those fields exist in the container/pod instead?

Please correct me if I'm wrong but it seems like this PR is checking this the other way around (going over all possible container/pod fields, and checking DeniedContainerOverrideFields/DeniedPodOverrideFields)

Have you considered iterating over the fields in DeniedContainerOverrideFields and DeniedPodOverrideFields and checking if those fields exist in the container/pod instead?

~~It is a way complicated~~

… overrides Signed-off-by: Anatolii Bazko <abazko@redhat.com>

codecov · 2026-06-21T18:16:14Z

Codecov Report

❌ Patch coverage is 80.12739% with 156 lines in your changes missing coverage. Please review.
✅ Project coverage is 40.52%. Comparing base (17aefae) to head (16116d3).
⚠️ Report is 6 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/library/overrides/pod_restrictions.go	78.80%	67 Missing and 4 partials ⚠️
pkg/library/overrides/container_restrictions.go	88.41%	22 Missing and 8 partials ⚠️
apis/controller/v1alpha1/zz_generated.deepcopy.go	0.00%	24 Missing ⚠️
pkg/library/overrides/restrictions.go	84.61%	13 Missing and 3 partials ⚠️
pkg/library/overrides/pods.go	25.00%	4 Missing and 2 partials ⚠️
pkg/config/sync.go	80.95%	3 Missing and 1 partial ⚠️
pkg/config/defaults.go	70.00%	2 Missing and 1 partial ⚠️
pkg/library/container/container.go	0.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1653      +/-   ##
==========================================
+ Coverage   37.17%   40.52%   +3.34%     
==========================================
  Files         168      171       +3     
  Lines       14761    15621     +860     
==========================================
+ Hits         5488     6330     +842     
+ Misses       8921     8906      -15     
- Partials      352      385      +33

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

… overrides Signed-off-by: Anatolii Bazko <abazko@redhat.com>

tolusha · 2026-06-22T13:43:49Z

/che-ai-assistant ok-pr-review

Review is complete. Please check the review comments below.

tolusha

Code Review Summary

Overall Assessment: Solid implementation of a security-critical feature with excellent test coverage. The restriction system is well-architected with proper defense-in-depth.

Key Highlights:
✅ 2700+ lines of comprehensive test coverage
✅ Security-first Kubernetes defaults aligned with Pod Security Standards
✅ Clean FieldRestriction abstraction with typed check methods
✅ Platform awareness (K8s vs OpenShift defaults)
✅ Defense-in-depth with always-restricted + configurable fields

Primary Concern: Breaking behavioral change on Kubernetes requires release notes and migration guide before merge (see inline comment on defaults.go).

The inline comments below provide specific suggestions for improvements.

tolusha · 2026-06-22T14:07:37Z

+		RestrictedPodOverrideFields:       []string{},
+	}
+	defaultKubernetesOverrideConfig = &v1alpha1.OverrideConfig{
+		RestrictedContainerOverrideFields: []string{


Breaking change: Release notes and migration guide required

The new Kubernetes default restrictions will cause existing DevWorkspaces using security-sensitive overrides to fail after operator upgrade. Any workspace with securityContext.privileged=true, hostNetwork=true, or volumes.hostPath will fail to start.

Required before merge:

Release notes documenting this breaking change

Migration guide with two paths:

Set restrictedContainerOverrideFields: [] and restrictedPodOverrideFields: [] in DevWorkspaceOperatorConfig to restore pre-upgrade behavior

Remove restricted overrides from DevWorkspaces before upgrade

Consider logging a warning when a workspace fails due to new default restrictions

dkwon17 · 2026-06-22T21:41:10Z

+		return checkContainerSecurityContext(override.SecurityContext, remaining, restriction)
+	}
+
+	return nil


Can we add a log message in the cases where the root/remaining is not matched by the case statements?

dkwon17 · 2026-06-22T21:41:28Z

+		return checkContainerResourceClaims(resources.Claims, remaining, restriction)
+	}
+
+	return nil


Can we add a log message in the cases where the root/remaining is not matched by the case statements?

dkwon17

Tested and LGTM, just a comment

btjd

LGTM

openshift-ci · 2026-06-23T19:53:01Z

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: btjd, tolusha
Once this PR has been reviewed and has the lgtm label, please assign dkwon17 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

rohanKanojia · 2026-06-24T04:45:31Z

+func checkContainer(override *corev1.Container, root string, remaining string, restriction *FieldRestriction) error {
+	if remaining == "" {
+		switch root {
+		case "workingDir":


Something to consider for the future:

This implementation requires manual synchronization with Kubernetes API changes. For example, if a future Kubernetes release adds a new field to corev1.Container or corev1.SecurityContext, it won't be evaluated by these restriction checks until this code is updated.

It might be worth exploring ways to make such cases easier to detect in tests.

rohanKanojia · 2026-06-24T05:03:26Z

+			Override:         corev1.PodSpec{Volumes: []corev1.Volume{{Name: "vol", VolumeSource: corev1.VolumeSource{EmptyDir: &corev1.EmptyDirVolumeSource{}}}}},
+			RestrictedFields: []string{"volumes.hostPath"},
+			IsErrorExpected:  false,
+		},


For future, We might want to add more cases here.

volumeSourceType() maps 20+ volume types

devworkspace-operator/pkg/library/overrides/pod_restrictions.go

Lines 351 to 371 in af782ad

func volumeSourceType(vol *corev1.Volume) string {

src := vol.VolumeSource

switch {

case src.HostPath != nil:

return "hostPath"

case src.EmptyDir != nil:

return "emptyDir"

case src.Secret != nil:

return "secret"

case src.ConfigMap != nil:

return "configMap"

case src.PersistentVolumeClaim != nil:

return "persistentVolumeClaim"

case src.Projected != nil:

return "projected"

case src.DownwardAPI != nil:

return "downwardAPI"

case src.CSI != nil:

return "csi"

case src.Ephemeral != nil:

return "ephemeral"

rohanKanojia · 2026-06-24T05:25:44Z

Tested on Kubernetes (minikube) and OpenShift (CRC) with various combination and it seems to be working well ✅

Always-Restricted Fields (regardless of config)

Field	Kubernetes	OpenShift
`container-overrides: name`	Expected: Denied	Expected: Denied
`container-overrides: image`	Expected: Denied	Expected: Denied
`container-overrides: command`	Expected: Denied	Expected: Denied
`container-overrides: args`	Expected: Denied	Expected: Denied
`container-overrides: ports`	Expected: Denied	Expected: Denied
`container-overrides: env`	Expected: Denied	Expected: Denied
`pod-overrides: containers`	Expected: Denied	Expected: Denied
`pod-overrides: initContainers`	Expected: Denied	Expected: Denied

Platform Defaults (no DWOC config required)

Field	Kubernetes	OpenShift
`container securityContext.privileged=true`	Expected: Denied	Expected: Allowed (SCC handles)
`container securityContext.runAsUser=0`	Expected: Denied	Expected: Allowed (SCC handles)
`container securityContext.runAsNonRoot=false`	Expected: Denied	Expected: Allowed (SCC handles)
`container securityContext.allowPrivilegeEscalation=true`	Expected: Denied	Expected: Allowed (SCC handles)
`container securityContext.capabilities.add`	Expected: Denied	Expected: Allowed (SCC handles)
`container securityContext.capabilities.drop`	Expected: Allowed	Expected: Allowed
`pod hostNetwork=true`	Expected: Denied	Expected: Allowed (SCC handles)
`pod hostNetwork=false`	Expected: Allowed	Expected: Allowed
`pod volumes.hostPath`	Expected: Denied	Expected: Allowed (SCC handles)

Custom Restriction Lists via DWOC

Scenario	Kubernetes	OpenShift
Empty list `[]` — `privileged=true`	Expected: Allowed	Expected: Allowed
`["resources"]` — `resources`	Expected: Denied	Expected: Denied
`["resources"]` — `privileged=true` (removed from list)	Expected: Allowed	Expected: Allowed
`["workingDir"]` — `workingDir: /home/user`	Expected: Denied	Expected: Denied
`["workingDir"]` — `resources` (not in list)	Expected: Allowed	Expected: Allowed
`["workingDir=/home/user"]` — `workingDir: /home/user`	Expected: Denied	Expected: Denied
`["workingDir=/home/user"]` — `workingDir: /other/path`	Expected: Allowed	Expected: Allowed
`["volumeMounts"]` — `volumeMounts`	Expected: Denied	Expected: Denied

Per-Workspace DWOC (`devworkspace-config` attribute)

Scenario	Kubernetes	OpenShift
Custom list `["workingDir"]` — `workingDir`	Expected: Denied	Expected: Denied
Custom list `["workingDir"]` — `privileged=true` (not in list)	Expected: Allowed	Expected: Allowed
No `overrides` field — `privileged=true` (inherits cluster defaults)	Expected: Denied	Expected: Allowed

Nested Field Restrictions via DWOC

Scenario	Kubernetes	OpenShift
`["envFrom.secretRef"]` — `envFrom.secretRef`	Expected: Denied	Expected: Denied
`["envFrom.secretRef"]` — `envFrom.configMapRef`	Expected: Allowed	Expected: Allowed
`["volumes.hostPath"]` — `volumes.hostPath`	Expected: Denied	Expected: Denied
`["volumes.hostPath"]` — `volumes.emptyDir`	Expected: Allowed	Expected: Allowed
`["securityContext.runAsUser=0"]` — `runAsUser: 0` (pod)	Expected: Denied	Expected: Denied
`["securityContext.runAsUser=0"]` — `runAsUser: 1000` (pod)	Expected: Allowed	Expected: Allowed

tolusha requested review from akurinnoy, btjd, dkwon17, ibuziuk and rohanKanojia as code owners June 19, 2026 13:13

rohanKanojia changed the title ~~feat: add configurable field-level restrictions for container and pod…~~ feat: add configurable field-level restrictions for container and pod overrides Jun 19, 2026

This comment was marked as outdated.

Sign in to view

tolusha commented Jun 19, 2026

View reviewed changes

Comment thread pkg/library/overrides/restrictions.go Outdated

tolusha commented Jun 19, 2026

View reviewed changes

Comment thread pkg/config/defaults.go

tolusha commented Jun 19, 2026

View reviewed changes

Comment thread docs/dwo-configuration.md Outdated

This comment was marked as outdated.

Sign in to view

dkwon17 reviewed Jun 19, 2026

View reviewed changes

This comment was marked as outdated.

Sign in to view

feat: add configurable field-level restrictions for container and pod…

73a202d

… overrides Signed-off-by: Anatolii Bazko <abazko@redhat.com>

tolusha force-pushed the overriderestrictions branch from fd4d54f to 73a202d Compare June 21, 2026 16:01

This comment was marked as resolved.

Sign in to view

feat: add configurable field-level restrictions for container and pod…

16116d3

… overrides Signed-off-by: Anatolii Bazko <abazko@redhat.com>

This comment was marked as outdated.

Sign in to view