feat: add configurable field-level restrictions for container and pod overrides

[tolusha]

What does this PR do?

This PR adds a configurable restriction system for container-overrides and pod-overrides DevWorkspace attributes. Cluster admins can define deny rules in DevWorkspaceOperatorConfig to block specific fields (e.g.
hostNetwork, securityContext.privileged) or specific values (e.g. restartPolicy=Always) from being set via overrides. On Kubernetes, security-sensitive defaults are denied out of the box — such as privileged containers,
running as root, host networking, and hostPath volumes — to match the restrictions that OpenShift enforces natively via SCCs

What issues does this PR fix or reference?

N/A

Is it tested? How?

Create a DevWorkspace with container-overrides, for instance:

attributes:
  container-overrides:
    securityContext: {privileged: true}

PR Checklist

• E2E tests pass (when PR is ready, comment /test v8-devworkspace-operator-e2e, v8-che-happy-path to trigger)
  • v8-devworkspace-operator-e2e: DevWorkspace e2e test
  • v8-che-happy-path: Happy path for verification integration with Che

Summary by CodeRabbit

Release Notes

• New Features

  • Added ability to restrict which fields can be modified via DevWorkspace pod and container overrides. Administrators can configure field restrictions through DevWorkspaceOperatorConfig with platform-specific defaults—Kubernetes applies stricter restrictions by default, while OpenShift applies none.

• Documentation

  • Added guide explaining how to restrict override fields, supported formats, and platform-specific default behavior.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: tolusha
Once this PR has been reviewed and has the lgtm label, please assign dkwon17 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Warning

Review limit reached

@tolusha, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 32 minutes and 51 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more credits in the billing tab to continue.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4eae608f-a8ec-4d75-814f-509483fc44b8

📥 Commits

Reviewing files that changed from the base of the PR and between 73a202d and 16116d3.

📒 Files selected for processing (3)

• docs/dwo-configuration.md
• pkg/config/sync.go
• pkg/library/overrides/pod_restrictions_test.go

📝 Walkthrough

Walkthrough

Introduces a configurable OverrideConfig type with RestrictedContainerOverrideFields and RestrictedPodOverrideFields slices on WorkspaceConfig. Adds a FieldRestriction rules engine, container and pod restriction validators with dot-path traversal, platform-specific defaults (Kubernetes restricts securityContext fields; OpenShift restricts none), and threads the restricted-field lists through the reconciler, override library, and storage provisioners.

Changes

Configurable Override Field Restriction

Layer / File(s)	Summary
OverrideConfig type, deepcopy, and CRD manifests apis/controller/v1alpha1/devworkspaceoperatorconfig_types.go, apis/controller/v1alpha1/zz_generated.deepcopy.go, deploy/bundle/manifests/..., deploy/deployment/..., deploy/templates/crd/bases/...	OverrideConfig struct with RestrictedContainerOverrideFields/RestrictedPodOverrideFields added to WorkspaceConfig; deepcopy generated; all CRD and deployment YAML manifests updated with the new overrides schema object.
FieldRestriction rules engine and config accessors pkg/library/overrides/restrictions.go	FieldRestriction struct with typed check helpers (string pointer, bool pointer, int32/int64, any-value), checkResources/checkResourceList/checkContainerResourceClaims, and exported GetRestrictedContainerOverrideFields/GetRestrictedPodOverrideFields accessors.
Container restriction validator and ApplyContainerOverrides wiring pkg/library/overrides/container_restrictions.go, pkg/library/overrides/containers.go, pkg/library/overrides/containers_test.go, pkg/library/overrides/container_restrictions_test.go, pkg/library/overrides/testdata/...	restrictContainerOverride validates top-level container fields, envFrom, volumeMounts, volumeDevices, securityContext, and capabilities against restrictedFields. ApplyContainerOverrides gains a restrictedFields []string parameter; old hardcoded restriction removed. Tests and fixture updated.
Pod restriction validator and pods.go wiring pkg/library/overrides/pod_restrictions.go, pkg/library/overrides/pods.go, pkg/library/overrides/pod_restrictions_test.go	restrictPodOverride validates containers/initContainers guard, volumes, securityContext, resource claims, imagePullSecrets, and volumeSourceType. pods.go threads restrictedFields through getPodOverrides and GetVolumesFromOverrides. Comprehensive table-driven tests added.
Platform defaults, mergeConfig, and config initialization pkg/config/defaults.go, pkg/config/sync.go, pkg/config/common_test.go	Kubernetes and OpenShift default OverrideConfig values defined; setDefaultOverrideConfig() selects between them. SetupControllerConfig and SetGlobalConfigForTesting call it. mergeConfig copies restricted field lists; GetCurrentConfigString emits them.
Controller and storage call-site wiring controllers/workspace/devworkspace_controller.go, pkg/library/container/container.go, pkg/library/container/container_test.go, pkg/provision/storage/commonStorage.go, pkg/provision/storage/perWorkspaceStorage.go	GetKubeContainersFromDevfile gains restrictedFields []string and passes it to ApplyContainerOverrides for main and init containers. Both ProvisionStorage implementations pass GetRestrictedPodOverrideFields(workspace) into rewriteContainerVolumeMounts → GetVolumesFromOverrides.
Documentation: Restricting override fields docs/dwo-configuration.md	New "Restricting override fields" section covering restriction syntax, dot-notation, platform defaults, replace-all semantics, bool field Kubernetes limitation, and example YAML.

Sequence Diagram(s)

sequenceDiagram
  rect rgba(70, 130, 180, 0.5)
    Note over Reconcile,ApplyContainerOverrides: Container override path
    Reconcile->>GetKubeContainersFromDevfile: restrictedContainerFields
    GetKubeContainersFromDevfile->>ApplyContainerOverrides: restrictedFields
    ApplyContainerOverrides->>restrictContainerOverride: override, restrictedFields
    restrictContainerOverride->>FieldRestriction: build + checkContainer per entry
    FieldRestriction-->>ApplyContainerOverrides: error or nil
  end
  rect rgba(60, 179, 113, 0.5)
    Note over ProvisionStorage,GetVolumesFromOverrides: Pod override / storage path
    ProvisionStorage->>rewriteContainerVolumeMounts: restrictedPodFields
    rewriteContainerVolumeMounts->>GetVolumesFromOverrides: workspace, restrictedFields
    GetVolumesFromOverrides->>getPodOverrides: restrictedFields
    getPodOverrides->>restrictPodOverride: &override.Spec, restrictedFields
    restrictPodOverride->>FieldRestriction: build + checkPodField per entry
    FieldRestriction-->>ProvisionStorage: error or nil
  end

Loading

Estimated code review effort

🎯 5 (Critical) | ⏱️ ~120 minutes

Suggested labels

lgtm, approved

Suggested reviewers

• ibuziuk
• dkwon17
• akurinnoy

Poem

🐇 A bunny hopped through fields of YAML so wide,
Restricting what containers dare override.
With dot-paths and slices of strings held tight,
No securityContext sneaks past without right.
The operator config now guards the gate —
Both Kube and OpenShift can set their own fate! 🌿

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 5.56% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and specifically describes the main feature being added: configurable field-level restrictions for container and pod overrides.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch overriderestrictions

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[tolusha]

Hi! I'm che-ai-assistant — I help with your pull requests.

Available commands:

• /che-ai-assistant generate-che-doc — Generate a documentation PR based on this PR's changes
• /che-ai-assistant ok-pr-review — Run a comprehensive PR review (summary, code review, deep review, impact analysis)
• /che-ai-assistant help — Show this help message

[dkwon17]

For container_restrictions.go and pod_restriction.go, I am a bit concerned because we are calling checkString(<field>) for so many container/pod fields.

Have you considered iterating over the fields in DeniedContainerOverrideFields and DeniedPodOverrideFields and checking if those fields exist in the container/pod instead?

Please correct me if I'm wrong but it seems like this PR is checking this the other way around (going over all possible container/pod fields, and checking DeniedContainerOverrideFields/DeniedPodOverrideFields)

[tolusha]

Have you considered iterating over the fields in DeniedContainerOverrideFields and DeniedPodOverrideFields and checking if those fields exist in the container/pod instead?

It is a way complicated

[tolusha]

Done

[tolusha]

/che-ai-assistant ok-pr-review

Review is complete. Please check the review comments below.

[codecov]

Codecov Report

❌ Patch coverage is 80.12739% with 156 lines in your changes missing coverage. Please review.
✅ Project coverage is 40.52%. Comparing base (17aefae) to head (16116d3).
⚠️ Report is 6 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/library/overrides/pod_restrictions.go	78.80%	67 Missing and 4 partials ⚠️
pkg/library/overrides/container_restrictions.go	88.41%	22 Missing and 8 partials ⚠️
apis/controller/v1alpha1/zz_generated.deepcopy.go	0.00%	24 Missing ⚠️
pkg/library/overrides/restrictions.go	84.61%	13 Missing and 3 partials ⚠️
pkg/library/overrides/pods.go	25.00%	4 Missing and 2 partials ⚠️
pkg/config/sync.go	80.95%	3 Missing and 1 partial ⚠️
pkg/config/defaults.go	70.00%	2 Missing and 1 partial ⚠️
pkg/library/container/container.go	0.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1653      +/-   ##
==========================================
+ Coverage   37.17%   40.52%   +3.34%     
==========================================
  Files         168      171       +3     
  Lines       14761    15621     +860     
==========================================
+ Hits         5488     6330     +842     
+ Misses       8921     8906      -15     
- Partials      352      385      +33     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.