From bd7d28f004c77d2b9dfa89a8f1c68740e5cac25f Mon Sep 17 00:00:00 2001
From: Scott Seago <sseago@redhat.com>
Date: Tue, 4 Nov 2025 16:53:30 -0500
Subject: [PATCH] don't copy securitycontext from first container if configmap
 found

Signed-off-by: Scott Seago <sseago@redhat.com>
---
 changelogs/unreleased/9389-sseago                | 1 +
 pkg/restore/actions/pod_volume_restore_action.go | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)
 create mode 100644 changelogs/unreleased/9389-sseago

diff --git a/changelogs/unreleased/9389-sseago b/changelogs/unreleased/9389-sseago
new file mode 100644
index 000000000..f054c96e3
--- /dev/null
+++ b/changelogs/unreleased/9389-sseago
@@ -0,0 +1 @@
+don't copy securitycontext from first container if configmap found
diff --git a/pkg/restore/actions/pod_volume_restore_action.go b/pkg/restore/actions/pod_volume_restore_action.go
index 9f3ee6a41..eb7cb8f6d 100644
--- a/pkg/restore/actions/pod_volume_restore_action.go
+++ b/pkg/restore/actions/pod_volume_restore_action.go
@@ -185,8 +185,8 @@ func (a *PodVolumeRestoreAction) Execute(input *velero.RestoreItemActionExecuteI
 			securityContextSet = true
 		}
 	}
-	// if first container in pod has a SecurityContext set, then copy this security context
-	if len(pod.Spec.Containers) != 0 && pod.Spec.Containers[0].SecurityContext != nil {
+	// if securityContext configmap is unavailable but first container in pod has a SecurityContext set, then copy this security context
+	if !securityContextSet && len(pod.Spec.Containers) != 0 && pod.Spec.Containers[0].SecurityContext != nil {
 		securityContext = *pod.Spec.Containers[0].SecurityContext.DeepCopy()
 		securityContextSet = true
 	}