Users should be able to configure their workspace pods securityContext capabilities

[l0rd]

Is your enhancement related to a problem? Please describe

I would like to be able to build a Dockerfile using buildah from within a workspace as described here. On OpenShift and using the DevWorkspace operator.

Describe the solution you'd like

To be able to run buildah successfully the pod should use a ServiceAccount that has anyuid scc (oc adm policy add-scc-to-user anyuid -z <my-service-account>) and it should be possible to set containers SecurityContext capabilities.

    spec:
      serviceAccount: buildah-sa
      containers:
        - name: buildah
          image: image-registry.openshift-image-registry.svc:5000/image-build/buildah
          securityContext:
            capabilities:
              drop:
                - KILL

Describe alternatives you've considered

No response

Additional context

That may be a user configuration specified in a ConfigMap: every workspace of the user would have the serviceAccount and securityContext specified in the ConfigMap.