Skip to content

chore: Add CAP_CHOWN to Container Run capabilities#2094

Open
tolusha wants to merge 3 commits intomainfrom
23748
Open

chore: Add CAP_CHOWN to Container Run capabilities#2094
tolusha wants to merge 3 commits intomainfrom
23748

Conversation

@tolusha
Copy link
Contributor

@tolusha tolusha commented Mar 2, 2026
edited
Loading

What does this PR do?

  • Adds the CHOWN Linux capability to the default security context for workspace containers when container run mode is enabled (alongside the existing SETGID and SETUID capabilities). This allows containers to change file ownership, needed for nested container scenarios.
  • For existing CheCluster CRs that already have SETGID/SETUID capabilities configured but are missing CHOWN, a new migration action (updateDevEnvironmentsContainerRunConfiguration) automatically appends CHOWN to the capabilities list during reconciliation.
  • Enables the reconciler to update existing SCCs by fetching the current object, applying desired spec fields on top, and syncing with diff detection (diffs.SecurityContextConstraints) — rather than only setting fields
    at creation time. This ensures existing SCCs get updated when the operator changes (e.g., to add CHOWN) and avoids endless reconcile loops.

Screenshot/screencast of this PR

N/A

What issues does this PR fix or reference?

eclipse-che/che#23748

How to test this PR?

  1. Deploy the operator:

OpenShift

./build/scripts/olm/test-catalog-from-sources.sh

or

build/scripts/docker-run.sh /bin/bash -c "
  oc login \
    --token=<...> \
    --server=<...> \
    --insecure-skip-tls-verify=true && \
  build/scripts/olm/test-catalog-from-sources.sh
"

on Minikube

./build/scripts/minikube-tests/test-operator-from-sources.sh

Common Test Scenarios

  • Deploy/update Eclipse Che
  • Start an empty workspace
  • Open terminal and build/run an image
  • Stop a workspace
  • Check operator logs for reconciliation errors or infinite reconciliation loops

PR Checklist

As the author of this Pull Request I made sure that:

Reviewers

Reviewers, please comment how you tested the PR when approving it.

@tolusha
chore: Add CAP_CHOWN to Container Run capabilities
9476053 
Signed-off-by: Anatolii Bazko <abazko@redhat.com>
@tolusha tolusha requested a review from rohanKanojia March 2, 2026 09:45
@tolusha
refactoring
2ac5737 
Signed-off-by: Anatolii Bazko <abazko@redhat.com>
@openshift-ci openshift-ci bot added the lgtm label Mar 2, 2026
@tolusha tolusha requested a review from akurinnoy March 5, 2026 10:05
@tolusha
fixup
d45cedb 
Signed-off-by: Anatolii Bazko <abazko@redhat.com>
@openshift-ci openshift-ci bot removed the lgtm label Mar 6, 2026
@tolusha tolusha requested a review from rohanKanojia March 6, 2026 13:51
@openshift-ci openshift-ci bot added the lgtm label Mar 6, 2026
@openshift-ci
Copy link

openshift-ci bot commented Mar 6, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: rohanKanojia, tolusha

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tolusha
Copy link
Contributor Author

tolusha commented Mar 6, 2026

/retest

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rohanKanojia rohanKanojia rohanKanojia approved these changes

@SDawley SDawley Awaiting requested review from SDawley SDawley is a code owner

@ibuziuk ibuziuk Awaiting requested review from ibuziuk ibuziuk is a code owner

@mkuznyetsov mkuznyetsov Awaiting requested review from mkuznyetsov mkuznyetsov is a code owner

@dkwon17 dkwon17 Awaiting requested review from dkwon17 dkwon17 is a code owner

@akurinnoy akurinnoy Awaiting requested review from akurinnoy

Assignees

@rohanKanojia rohanKanojia

Labels

lgtm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tolusha @rohanKanojia