[BUG] UI defaults to broken combination of privileged=true and allowPrivilegeEscalation=false

[kravciak]

Rancher Server Setup

• Rancher version: 2.7.6
• Kubernetes version: v1.25.8+k3s1
• Cluster Type: Local
• What is the role of the user logged in? Admin

Describe the bug

When I select privileged: true on pod securityContext then allowPrivilegeEscalation option hides in UI but is still present in YAML as false. This combination is not valid. When privileged: true then allowPrivilegeEscalation has to be also true.

To Reproduce

• Go to Workloads->Pods->Create
• Switch to Security Context tab (Default values are: Privileged: No, Privilege Escalation: No)
• Select Privileged: Yes (Privilege Escalation disappears)
• Go to Edit as Yaml

  securityContext:
  privileged: true
  allowPrivilegeEscalation: false

This combination is wrong as described in kubernetes doc:

"allowPrivilegeEscalation is always true when the container is run as privileged."

To see error message in UI install kubewarden 1.7.0 with recommended policies in monitor mode.

Result

Problem is obvious when I enable kubewarden, it prevents pod creation (in both monitor / protect modes) with following error:

Pod "rrr" is invalid: spec.containers[0].securityContext: Invalid value: core.SecurityContext{Capabilities:(*core.Capabilities)(0xc037249020), Privileged:(*bool)(0xc02dfb504c), SELinuxOptions:(*core.SELinuxOptions)(nil), WindowsOptions:(*core.WindowsSecurityContextOptions)(nil), RunAsUser:(*int64)(nil), RunAsGroup:(*int64)(nil), RunAsNonRoot:(*bool)(0xc02dfb504e), ReadOnlyRootFilesystem:(*bool)(0xc02dfb504d), AllowPrivilegeEscalation:(*bool)(0xc02dfb504b), ProcMount:(*core.ProcMountType)(nil), SeccompProfile:(*core.SeccompProfile)(nil)}: cannot set `allowPrivilegeEscalation` to false and `privileged` to true

After I switch back to privileged: No then Privilege Escalation is switched to Yes (both UI and YAML).

Expected Result

When I select Privileged: Yes then Privilege Escalation is:

• removed from both UI and YAML (preferable solution)
• set to true if privileged=true (UI hides option) and false if privileged=false (UI shows option)

Screenshots

[baptisterajaut]

This is still prevalent in rancher 2.8.2. Just enabling priviledged as true is not enough and require manual yaml editing. Rancher v2.8.2 Dashboard v2.8.0 Helm v2.16.8-rancher2 Machine v0.15.0-rancher106 Cluster RKE2 : v1.27.12+rke2r1