Add PodSecurityContext support for DaemonSets

[faganihajizada]

Description

Partially fixes #1030

Adds PodSecurityContext support to both ClusterPolicy and NVIDIADriver CRs:

• ClusterPolicy — spec.daemonsets.podSecurityContext sets pod-level security context for all DaemonSet pods managed by ClusterPolicy
• NVIDIADriver — spec.podSecurityContext sets pod-level security context for the nvidia-driver DaemonSet pod

Design notes

• Pod-level SecurityContext is full replace, not merge. This matches the existing pattern for tolerations and priorityClassName in applyCommonDaemonsetConfig. No embedded DaemonSet manifest currently sets a pod-level SecurityContext, so there is nothing to lose on replace.
• For NVIDIADriver, the PodSecurityContext is templated directly into the driver DaemonSet manifest, following the same Go template pattern used for other optional spec fields (tolerations, labels, annotations).

Checklist

• No secrets, sensitive information, or unrelated changes
• Lint checks passing (make lint)
• Generated assets in-sync (make validate-generated-assets)
• Go mod artifacts in-sync (make validate-modules)
• Test cases are added for new code paths

Testing

• Unit tests for mergeSecurityContext (5 cases: nil target, nil defaults, empty target, merge with existing, no-overwrite)
• Unit tests for applyCommonDaemonsetConfig (4 new cases: podSecurityContext, nil container SecurityContext, merge into existing, initContainers)
• Unit tests for applyDaemonsetMetadataToPod (4 cases: no-op, label skip, annotations, nil labels)
• Unit tests for applyCommonDaemonsetMetadata (existing tests still pass)

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[rahulait]

We need to add this to nvidiadriver CR as well if we are adding it for clusterpolicy. Basically here: https://github.com/NVIDIA/gpu-operator/blob/main/api/nvidia/v1alpha1/nvidiadriver_types.go#L199

After that, we need to update the nvidia-driver specific daemonset manifest to also include securityContext if set here: https://github.com/NVIDIA/gpu-operator/blob/main/manifests/state-driver/0500_daemonset.yaml#L86

[tariq1890]

@faganihajizada Thanks again for the contribution! Can you amend the commit message and PR title so that it reflects the changes after review?

Please commit with the --signoff option so that the DCO checks are satisfied

[faganihajizada]

@faganihajizada Thanks again for the contribution! Can you amend the commit message and PR title so that it reflects the changes after review?

Please commit with the --signoff option so that the DCO checks are satisfied

Thanks @tariq1890 I updated commit message and also addressed comment from @rahulait

[rahulait]

LGTM

[rahulait]

/ok to test 5013497

[faganihajizada]

@rahulait seems like there's no mechanism to regenerate the golden test files in internal/state/testdata/golden/ when the API types change. Is there a preferred way to handle this, or do you typically update them manually?

I can add a small UPDATE_GOLDEN=1 flag in the tests in a follow-up PR if it helps.

[rahulait]

@faganihajizada unit-tests will need updates so that CI can pass. I think they are generated manually for now as I don't see any script doing that. You can just update the failing test for now to match the new fields added.

[rahulait]

/ok to test e13fd80

[tariq1890]

I am a bit concerned that the DRIVER_CONFIG_DIGEST is changed here even though we don't set the .Driver.Spec.PodSecurityContext field. Is this because the struct schema has changed?

We need to keep in mind that this change will cancel fast path re-deployments where is was previously possible.

cc @cdesiniotis @karthikvetrivel

[faganihajizada]

can I help on this?

[karthikvetrivel]

Taking a look at this. No action required on your side right now @faganihajizada, thanks!