From 0e98533d1b7a4d2ebf414575ff81905933c31c63 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Arda=20G=C3=BC=C3=A7l=C3=BC?= <aguclu@redhat.com>
Date: Wed, 8 Mar 2023 11:58:28 +0300
Subject: [PATCH] Not share process namespace if user explicitly disables it

This PR sets higher priority to the `share-processes` flag than
provided profile.

For example, if user tries to use copy-to debugging with restricted
profiling, share process namespace should be false if user explicitly
disables it via `--share-processes=false`.
---
 .../kubectl/pkg/cmd/debug/debug_test.go       | 40 +++++++++++++++++++
 .../k8s.io/kubectl/pkg/cmd/debug/profiles.go  |  4 +-
 2 files changed, 43 insertions(+), 1 deletion(-)

diff --git a/staging/src/k8s.io/kubectl/pkg/cmd/debug/debug_test.go b/staging/src/k8s.io/kubectl/pkg/cmd/debug/debug_test.go
index 08225f8e6b8..118c38661ba 100644
--- a/staging/src/k8s.io/kubectl/pkg/cmd/debug/debug_test.go
+++ b/staging/src/k8s.io/kubectl/pkg/cmd/debug/debug_test.go
@@ -1201,6 +1201,46 @@ func TestGeneratePodCopyWithDebugContainer(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "baseline profile not share process when user explicitly disables it",
+			opts: &DebugOptions{
+				CopyTo:                "debugger",
+				Container:             "debugger",
+				Image:                 "busybox",
+				PullPolicy:            corev1.PullIfNotPresent,
+				Profile:               ProfileBaseline,
+				ShareProcesses:        false,
+				shareProcessedChanged: true,
+			},
+			havePod: &corev1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "target",
+				},
+				Spec: corev1.PodSpec{
+					Containers: []corev1.Container{
+						{
+							Name: "debugger",
+						},
+					},
+					NodeName: "node-1",
+				},
+			},
+			wantPod: &corev1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "debugger",
+				},
+				Spec: corev1.PodSpec{
+					Containers: []corev1.Container{
+						{
+							Name:            "debugger",
+							Image:           "busybox",
+							ImagePullPolicy: corev1.PullIfNotPresent,
+						},
+					},
+					ShareProcessNamespace: pointer.Bool(false),
+				},
+			},
+		},
 		{
 			name: "restricted profile",
 			opts: &DebugOptions{
diff --git a/staging/src/k8s.io/kubectl/pkg/cmd/debug/profiles.go b/staging/src/k8s.io/kubectl/pkg/cmd/debug/profiles.go
index 609e4575267..3684478d570 100644
--- a/staging/src/k8s.io/kubectl/pkg/cmd/debug/profiles.go
+++ b/staging/src/k8s.io/kubectl/pkg/cmd/debug/profiles.go
@@ -250,7 +250,9 @@ func useHostNamespaces(p *corev1.Pod) {
 // shareProcessNamespace configures all containers in the pod to share the
 // process namespace.
 func shareProcessNamespace(p *corev1.Pod) {
-	p.Spec.ShareProcessNamespace = pointer.Bool(true)
+	if p.Spec.ShareProcessNamespace == nil {
+		p.Spec.ShareProcessNamespace = pointer.Bool(true)
+	}
 }
 
 // clearSecurityContext clears the security context for the container.