fix: add securityContext support to ephemeral debug containers for restricted PodSecurity namespaces

[harshitrwt]

This PR fixes #4969 by introducing two complementary changes:

1. Safe default: addEphemeralContainer() now applies a restricted-compatible securityContext by default:

   • allowPrivilegeEscalation: false
   • capabilities.drop: ["ALL"]
   • runAsNonRoot: true
   • seccompProfile.type: RuntimeDefault

2. User control: A new "Restricted Security Context" toggle is added to Pod Debug Settings (alongside the existing image and enable/disable settings). It defaults to on, but users can turn it off for clusters where they need elevated permissions in their debug container.

Files Changed

• frontend/src/helpers/clusterSettings.ts : added useRestrictedSecurityContext field to ClusterSettings type
• frontend/src/lib/k8s/pod.ts : addEphemeralContainer() accepts and applies securityContext
• frontend/src/components/pod/PodDebugTerminal.tsx : reads setting from cluster config and passes it through
• frontend/src/components/App/Settings/PodDebugSettings.tsx : new toggle row in the Pod Debug Settings UI

Testing

To reproduce the original bug and verify the fix:

# Create a restricted namespace
kubectl create namespace restricted-test
kubectl label namespace restricted-test \
  pod-security.kubernetes.io/enforce=restricted \
  pod-security.kubernetes.io/enforce-version=latest

# Deploy a compliant pod
kubectl apply -f 
apiVersion: v1
kind: Pod
metadata:
  name: test-pod
  namespace: restricted-test
spec:
  containers:
  - name: app
    image: nginx:alpine
    securityContext:
      allowPrivilegeEscalation: false
      runAsNonRoot: true
      runAsUser: 1000
      capabilities:
        drop: ["ALL"]
      seccompProfile:
        type: RuntimeDefault

Notes

• The securityContext default does not break debugging in non-restricted namespaces, a restricted context is still fully functional for shell access, log inspection, env var checks, etc.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: harshitrwt
Once this PR has been reviewed and has the lgtm label, please assign illume for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-ci-robot]

Welcome @harshitrwt!

It looks like this is your first PR to kubernetes-sigs/headlamp 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/headlamp has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[Copilot]

Pull request overview

This PR addresses #4969 by making the “Debug Pod” ephemeral container compatible with restricted PodSecurity namespaces, while still allowing users to opt out per-cluster via settings.

Changes:

• Add a per-cluster “Restricted Security Context” toggle (default on) in Pod Debug Settings and persist it in ClusterSettings.
• Pass the toggle value through the debug terminal flow to Pod.addEphemeralContainer().
• Apply a restricted-compatible securityContext to the created ephemeral container when the toggle is enabled.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File	Description
frontend/src/helpers/clusterSettings.ts	Extends ClusterSettings.podDebugTerminal with useRestrictedSecurityContext.
frontend/src/lib/k8s/pod.ts	Adds a boolean flag to addEphemeralContainer() and conditionally injects a restricted securityContext.
frontend/src/components/pod/PodDebugTerminal.tsx	Reads the new setting and passes it to the ephemeral container creation path.
frontend/src/components/App/Settings/PodDebugSettings.tsx	Adds a new settings row + state/update logic for the restricted security context toggle.

[Copilot]

securityContext is being added to an object typed as KubeContainer, but KubeContainer currently does not declare a securityContext field (see frontend/src/lib/k8s/cluster.ts where it's still marked as a TODO). This will fail TypeScript excess-property checks during build. Add an appropriate securityContext type to KubeContainer (or use a dedicated ephemeral-container type) so this compiles cleanly.

[Copilot]

The new "Restricted Security Context" switch is missing an accessible label association. Other switches in Settings pass inputProps={{ 'aria-labelledby': ... }} and render a label element with a matching id; add the same pattern here so screen readers announce what this toggle controls.

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

[Copilot]

The new "Restricted Security Context" toggle Switch is missing an accessible label association. The "Enable Pod Debug" switch wires aria-labelledby, but this one doesn’t provide inputProps (or an aria-label), so screen readers may announce it without context.

Add an id to the label element and pass inputProps={{ 'aria-labelledby': <id> }} (or an equivalent aria-label) on the Switch.

[Copilot]

The JSDoc for addEphemeralContainer hasn’t been updated for the new useRestrictedSecurityContext parameter. Please document the new argument (what it does, default behavior, and why/when to disable it) so future callers understand the security implications.

[Copilot]

The JSDoc for debugPod lists parameters but doesn’t include the new useRestrictedSecurityContext argument. Please update the comment to document this parameter and its default, since it changes behavior and is security-relevant.

[harshitrwt]

Thanks for the review, working on it.

[harshitrwt]

Hi @illume , Any reviews on new changes?