dongjoon-hyun opened a new pull request, #709:
URL: https://github.com/apache/spark-kubernetes-operator/pull/709

   ### What changes were proposed in this pull request?
   
   Add a **Pod Security Admission** section to `SECURITY.md` documenting that 
the security posture of user-supplied pod templates is enforced by the 
Kubernetes API server, not the operator:
   
   - Administrators set the [Pod Security 
Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/)
 level on workload namespaces; it applies to every pod the operator launches.
   - The pod template is the only place to set a pod's security context, so 
meeting a stricter level requires supplying one. This covers `SparkApplication` 
(`.spec.driverSpec/executorSpec.podTemplateSpec`) and `SparkCluster` 
(`.spec.masterSpec/workerSpec.statefulSetSpec.template`).
   
   ### Why are the changes needed?
   
   The operator passes pod templates through unchanged, which is what lets 
users satisfy stricter Pod Security Admission levels. Documenting this 
clarifies that pod security is a Kubernetes responsibility, not a missing 
operator control.
   
   ### Does this PR introduce _any_ user-facing change?
   
   No. Documentation only.
   
   ### How was this patch tested?
   
   Documentation-only change; no code is affected.
   
   ### Was this patch authored or co-authored using generative AI tooling?
   
   Generated-by: Claude Code (Claude Opus 4.8)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to