From 52a066730a191c33d51de414fd7e0af5ea16f6c2 Mon Sep 17 00:00:00 2001
From: Tamal Saha <tamal@appscode.com>
Date: Tue, 17 Mar 2026 20:36:39 +0600
Subject: [PATCH] Fix security context for panopticon cleaner in OpenShift

Signed-off-by: Tamal Saha <tamal@appscode.com>
---
 charts/panopticon/templates/cleaner.yaml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/charts/panopticon/templates/cleaner.yaml b/charts/panopticon/templates/cleaner.yaml
index dabfe328..ae7ebb38 100644
--- a/charts/panopticon/templates/cleaner.yaml
+++ b/charts/panopticon/templates/cleaner.yaml
@@ -18,8 +18,13 @@ spec:
       serviceAccountName: {{ include "panopticon.serviceAccountName" . }}
       containers:
       - name: busybox
+        {{- if eq "true" ( include "distro.openshift" . ) }}
+        securityContext:
+          {{- toYaml (omit .Values.cleaner.securityContext "runAsUser" "runAsGroup" "fsGroup" "supplementalGroups") | nindent 10 }}
+        {{- else }}
         securityContext:
           {{- toYaml .Values.cleaner.securityContext | nindent 10 }}
+        {{- end }}
         image: {{ include "cleaner.registry" . }}/{{ .Values.cleaner.repository }}:{{ .Values.cleaner.tag }}{{ include "operator.ubi" . }}
         command:
           - sh
@@ -29,8 +34,13 @@ spec:
            kubectl delete apiservice v1alpha1.validators.metrics.appscode.com || true;"
         imagePullPolicy: {{ .Values.imagePullPolicy }}
       restartPolicy: Never
+      {{- if eq "true" ( include "distro.openshift" . ) }}
+      securityContext:
+        {{- toYaml (omit .Values.podSecurityContext "runAsUser" "runAsGroup" "fsGroup" "supplementalGroups") | nindent 8 }}
+      {{- else }}
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      {{- end }}
     {{- if or .Values.tolerations }}
       tolerations:
       {{- with .Values.tolerations }}