fsgroup change

Author: benjaminjb

internal/controller/postgrescluster/pgbouncer.go

@@ -485,8 +485,12 @@ func (r *Reconciler) generatePGBouncerDeployment(
 	// Do not add environment variables describing services in this namespace.
 	deploy.Spec.Template.Spec.EnableServiceLinks = initialize.Bool(false)
 
-	deploy.Spec.Template.Spec.SecurityContext = util.PodSecurityContext(2,
-		cluster.Spec.SupplementalGroups, initialize.FromPointer(cluster.Spec.OpenShift),
+	fsGroup := 2
+	if initialize.FromPointer(cluster.Spec.OpenShift) {
+		fsGroup = 0
+	}
+	deploy.Spec.Template.Spec.SecurityContext = util.PodSecurityContext(int64(fsGroup),
+		cluster.Spec.SupplementalGroups,
 	)
 
 	// set the image pull secrets, if any exist

internal/util/pod_security.go

@@ -12,7 +12,9 @@ import (
 
 // PodSecurityContext returns a v1.PodSecurityContext for cluster that can write
 // to PersistentVolumes.
-func PodSecurityContext(fsgroup int64, supplementalGroups []int64, openshift bool) *corev1.PodSecurityContext {
+// This func sets the supplmental groups and fsGgroup if present.
+// fsGroup should not be present in OpenShift environments
+func PodSecurityContext(fsgroup int64, supplementalGroups []int64) *corev1.PodSecurityContext {
 	psc := initialize.PodSecurityContext()
 
 	// Use the specified supplementary groups except for root. The CRD has
@@ -30,7 +32,7 @@ func PodSecurityContext(fsgroup int64, supplementalGroups []int64, openshift boo
 	// - https://cloud.redhat.com/blog/a-guide-to-openshift-and-uids
 	// - https://docs.k8s.io/tasks/configure-pod-container/security-context/
 	// - https://docs.openshift.com/container-platform/4.8/authentication/managing-security-context-constraints.html
-	if !openshift {
+	if fsgroup > 0 {
 		psc.FSGroup = initialize.Int64(fsgroup)
 	}
 

internal/util/pod_security_test.go

@@ -14,13 +14,13 @@ import (
 
 func TestPodSecurityContext(t *testing.T) {
 	t.Run("Non-Openshift", func(t *testing.T) {
-		assert.Assert(t, cmp.MarshalMatches(PodSecurityContext(2, []int64{}, false), `
+		assert.Assert(t, cmp.MarshalMatches(PodSecurityContext(2, []int64{}), `
 fsGroup: 2
 fsGroupChangePolicy: OnRootMismatch
 	`))
 
 		supplementalGroups := []int64{3, 4}
-		assert.Assert(t, cmp.MarshalMatches(PodSecurityContext(26, supplementalGroups, false), `
+		assert.Assert(t, cmp.MarshalMatches(PodSecurityContext(26, supplementalGroups), `
 fsGroup: 26
 fsGroupChangePolicy: OnRootMismatch
 supplementalGroups:
@@ -30,11 +30,11 @@ supplementalGroups:
 	})
 
 	t.Run("OpenShift", func(t *testing.T) {
-		assert.Assert(t, cmp.MarshalMatches(PodSecurityContext(2, []int64{}, true),
+		assert.Assert(t, cmp.MarshalMatches(PodSecurityContext(0, []int64{}),
 			`fsGroupChangePolicy: OnRootMismatch`))
 
 		supplementalGroups := []int64{3, 4}
-		assert.Assert(t, cmp.MarshalMatches(PodSecurityContext(2, supplementalGroups, true), `
+		assert.Assert(t, cmp.MarshalMatches(PodSecurityContext(0, supplementalGroups), `
 fsGroupChangePolicy: OnRootMismatch
 supplementalGroups:
 - 3
@@ -44,9 +44,9 @@ supplementalGroups:
 
 	t.Run("NoRootGID", func(t *testing.T) {
 		supplementalGroups := []int64{999, 0, 100, 0}
-		assert.DeepEqual(t, []int64{999, 100}, PodSecurityContext(2, supplementalGroups, false).SupplementalGroups)
+		assert.DeepEqual(t, []int64{999, 100}, PodSecurityContext(2, supplementalGroups).SupplementalGroups)
 
 		supplementalGroups = []int64{0}
-		assert.Assert(t, PodSecurityContext(2, supplementalGroups, false).SupplementalGroups == nil)
+		assert.Assert(t, PodSecurityContext(2, supplementalGroups).SupplementalGroups == nil)
 	})
 }