dongjoon-hyun opened a new pull request, #56549: URL: https://github.com/apache/spark/pull/56549
### What changes were proposed in this pull request? This PR sets `securityContext.allowPrivilegeEscalation: false` on driver and executor containers by default, with new configs to control it: - `spark.kubernetes.securityContext.allowPrivilegeEscalation` (default `false`) - `spark.kubernetes.driver.securityContext.allowPrivilegeEscalation` (falls back to the above) - `spark.kubernetes.executor.securityContext.allowPrivilegeEscalation` (falls back to the above) `BasicDriverFeatureStep` and `BasicExecutorFeatureStep` apply the value via `editOrNewSecurityContext()`, preserving other pod-template `securityContext` fields. Docs updated in `running-on-kubernetes.md` and `core-migration-guide.md`. ### Why are the changes needed? Kubernetes allows privilege escalation by default. Emitting `allowPrivilegeEscalation: false` makes Spark pods secure-by-default and compliant with the Pod Security Standards `restricted` profile, while the configs allow opting out. ### Does this PR introduce _any_ user-facing change? Yes to improve the security. Since 4.3.0, driver/executor containers get `allowPrivilegeEscalation: false` by default (previously unset, so Kubernetes allowed it). To restore the legacy behavior, set `spark.kubernetes.securityContext.allowPrivilegeEscalation=true`. ### How was this patch tested? Pass the CIs with the newly added test cases. ### Was this patch authored or co-authored using generative AI tooling? Generated-by: Claude Code (claude-opus-4-8) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
