Ensure users don't have root access in container-based Workspaces
Context
Discussion originally happened in #391856 (comment 1284825444)
MR - Set the user id, group id and file system group... (!119138 - merged)
What
Ensure the security context for a container is set so that users cannot escape and gain privilege. We'll have to figure out what are the best default values which are restrictive enough without creating a hurdle for most use-cases. Are the default values for the security context enough?
How
Set the pod-overrides
and container-overrides
before saving the processed devfile to the database to set the default/safe values for user ID, group ID, file system group ID, etc. (i.e. security context settings)
Availability and Testing
Ensure updated test coverage in unit/integration/feature tests.
Edited by Nivetha Prabakaran