feat(k8s-pipeline): support configuring seccompProfile for k8s

[BenStokmans]

Describe your changes:

This PR expands the configuration of the K8S pipeline client, adding the property seccompProfileType allowing the user to set it to one of RuntimeDefault, Localhost or Unconfined. This is needed when the pipeline is created in a namespace where the pod security standard is set to "restricted".

Along with the seccompProfileType, I have also added seccompLocalhostProfile to configure the path to the local host profile.

buildAutomationJob() and buildApplicationJob() previously skipped securityContext entirely on both the pod and the container, meaning automations and applications would be rejected in any restricted namespace regardless of how runAsUser/runAsNonRoot were configured. They now use the same buildPodSecurityContext() / buildContainerSecurityContext() helpers as ingestion Jobs, picking up runAsUser, runAsGroup, fsGroup, runAsNonRoot, allowPrivilegeEscalation: false, capabilities: drop ALL, and the new seccompProfile.

To go along with this PR I have also created a PR in the helm charts repo: !506

Type of change:

• Bug fix
• Improvement
• New feature
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation

Checklist:

• I have read the CONTRIBUTING document.
• My PR title is Fixes <issue-number>: <short explanation>
• I have commented on my code, particularly in hard-to-understand areas.
• For JSON Schema changes: I updated the migration scripts or explained why it is not needed.
• I have added tests around the new logic.
• For connector/ingestion changes: I updated the documentation.
  -->

[github-actions]

Hi there 👋 Thanks for your contribution!

The OpenMetadata team will review the PR shortly! Once it has been labeled as safe to test, the CI workflows
will start executing and we'll be able to make sure everything is working as expected.

Let us know if you need any help!

[Copilot]

Pull request overview

This PR extends the Kubernetes Pipeline Service client configuration to support setting a seccompProfileType, enabling deployments in clusters/namespaces enforcing the Pod Security Standard “restricted”.

Changes:

• Add seccompProfileType to K8sPipelineClientConfig parsing and validation.
• Apply the configured seccomp profile to both pod and container security contexts when building K8s job specs.
• Update default config templates (OpenMetadata config + distributed-test docker configs) and add unit tests for the new config behavior.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
openmetadata-service/src/main/java/org/openmetadata/service/clients/pipeline/k8s/K8sPipelineClientConfig.java	Adds seccompProfileType param handling and validation.
openmetadata-service/src/main/java/org/openmetadata/service/clients/pipeline/k8s/K8sPipelineClient.java	Sets seccompProfile on pod/container security contexts based on config.
openmetadata-service/src/test/java/org/openmetadata/service/clients/pipeline/k8s/K8sPipelineClientConfigTest.java	Adds coverage for default/blank/invalid seccompProfileType.
conf/openmetadata.yaml	Exposes K8S_SECCOMP_PROFILE_TYPE in default server config.
docker/development/distributed-test/local/server1.yaml	Exposes K8S_SECCOMP_PROFILE_TYPE for distributed-test server config.
docker/development/distributed-test/local/server2.yaml	Exposes K8S_SECCOMP_PROFILE_TYPE for distributed-test server config.
docker/development/distributed-test/local/server3.yaml	Exposes K8S_SECCOMP_PROFILE_TYPE for distributed-test server config.

[github-actions]

Hi there 👋 Thanks for your contribution!

The OpenMetadata team will review the PR shortly! Once it has been labeled as safe to test, the CI workflows
will start executing and we'll be able to make sure everything is working as expected.

Let us know if you need any help!

[Copilot]

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.

[github-actions]

Hi there 👋 Thanks for your contribution!

The OpenMetadata team will review the PR shortly! Once it has been labeled as safe to test, the CI workflows
will start executing and we'll be able to make sure everything is working as expected.

Let us know if you need any help!

[gitar-bot]

Code Review ✅ Approved 1 resolved / 1 findings

Enables seccompProfile configuration for Kubernetes pipelines, resolving the issue where localhost profiles were accepted without a corresponding file path.

✅ 1 resolved

✅ Bug: "Localhost" seccomp profile type accepted but localhostProfile path never set

📄 openmetadata-service/src/main/java/org/openmetadata/service/clients/pipeline/k8s/K8sPipelineClient.java:1627-1632 📄 openmetadata-service/src/main/java/org/openmetadata/service/clients/pipeline/k8s/K8sPipelineClientConfig.java:196-203
When seccompProfileType is set to "Localhost", the Kubernetes API requires the localhostProfile field to also be set on V1SeccompProfile (it specifies the path to the profile on the node, e.g. profiles/my-profile.json). The current buildSeccompProfile() method only calls .type(type) and never sets localhostProfile, so any pod using Localhost will be rejected by the API server with a validation error like "localhostProfile must be set when type is Localhost".

Since there's no config field for the localhost profile path, the simplest fix is to disallow Localhost in validation until a seccompLocalhostProfile config option is added. Alternatively, add the config option now.

Options

Display: compact → Showing less information.

Comment with these commands to change:

Compact

gitar display:verbose

_{Was this helpful? React with 👍 / 👎 | Gitar}