Merge pull request #136 from marklogic/bug/CLD-782-volume-owner

CLD-782 : add podSecurityContext for volume auth

Author: rwinieski

charts/templates/statefulset.yaml

@@ -18,6 +18,9 @@ spec:
       labels:
         {{- include "marklogic.selectorLabels" . | nindent 8 }}
     spec:
+      {{- if .Values.podSecurityContext.enabled }}
+      securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
+      {{- end }}
       serviceAccountName: {{ include "marklogic.serviceAccountName" . }}
       {{- with .Values.affinity }}
       affinity: {{- toYaml . | nindent 8}}

charts/values.yaml

@@ -205,7 +205,20 @@ networkPolicy:
       endPort: 8020
       protocol: TCP
 
-## Below are the security configurations for container, by default security will be enabled
+## Below are the security configuration at POD level, by default security will be enabled
+## https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#configure-volume-permission-and-ownership-change-policy-for-pods
+  #######################################################################################
+  ## NOTE : The POD Security context should be set when using additional volume.       ##
+  ## This will ensure that additional volume created is set with the right ownership.  ##
+  #######################################################################################
+
+podSecurityContext:
+  enabled: true
+  ## group id of user owning the MarkLogic service
+  fsGroup: 2 
+  fsGroupChangePolicy: "OnRootMismatch" 
+
+## Below are the security configurations for markLogic container, by default security will be enabled
 containerSecurityContext:
   enabled: true
   runAsUser: 1000