From f7e0148ea0d2eb3cab4df5469544ff3231d1b38d Mon Sep 17 00:00:00 2001
From: Thomas E Lackey <telackey@bozemanpass.com>
Date: Thu, 8 Feb 2024 17:21:23 -0600
Subject: [PATCH] security context

---
 stack_orchestrator/deploy/k8s/cluster_info.py | 6 ++++++
 stack_orchestrator/deploy/spec.py             | 6 ++++++
 2 files changed, 12 insertions(+)

diff --git a/stack_orchestrator/deploy/k8s/cluster_info.py b/stack_orchestrator/deploy/k8s/cluster_info.py
index 1de1fc76..d4dfb718 100644
--- a/stack_orchestrator/deploy/k8s/cluster_info.py
+++ b/stack_orchestrator/deploy/k8s/cluster_info.py
@@ -281,6 +281,12 @@ class ClusterInfo:
                     env=envs,
                     ports=[client.V1ContainerPort(container_port=port)],
                     volume_mounts=volume_mounts,
+                    security_context=client.V1SecurityContext(
+                        privileged=self.spec.get_privileged(),
+                        capabilities=client.V1Capabilities(
+                            add=self.spec.get_capabilities()
+                        ) if self.spec.get_capabilities() else None
+                    ),
                     resources=to_k8s_resource_requirements(resources),
                 )
                 containers.append(container)
diff --git a/stack_orchestrator/deploy/spec.py b/stack_orchestrator/deploy/spec.py
index 95684f46..72f1cfb1 100644
--- a/stack_orchestrator/deploy/spec.py
+++ b/stack_orchestrator/deploy/spec.py
@@ -112,3 +112,9 @@ class Spec:
 
     def get_labels(self):
         return self.obj.get("labels", {})
+
+    def get_privileged(self):
+        return "true" == str(self.obj.get("security", {}).get("privileged", "false")).lower()
+
+    def get_capabilities(self):
+        return self.obj.get("security", {}).get("capabilities", [])
\ No newline at end of file