fix: mismatched container fs permissions (knative#2946)

lkingland · web-flow · commit d04ff0a37880 · 2025-07-24T10:54:08.000Z
diff --git a/pkg/k8s/security_context.go b/pkg/k8s/security_context.go
@@ -14,11 +14,12 @@ func defaultPodSecurityContext() *corev1.PodSecurityContext {
 		return nil
 	}
 	runAsUser := int64(1001)
-	runAsGroup := int64(1002)
+	runAsGroup := int64(0) // Match Tekton buildpack task group
+	fsGroup := int64(1002) // Keep FSGroup for volume ownership
 	return &corev1.PodSecurityContext{
 		RunAsUser:  &runAsUser,
 		RunAsGroup: &runAsGroup,
-		FSGroup:    &runAsGroup,
+		FSGroup:    &fsGroup,
 	}
 }
 

Original file line number	Diff line number	Diff line change
`@@ -14,11 +14,12 @@ func defaultPodSecurityContext() *corev1.PodSecurityContext {`
`14`	`14`	`return nil`
`15`	`15`	`}`
`16`	`16`	`runAsUser := int64(1001)`
`17`		`- runAsGroup := int64(1002)`
	`17`	`+ runAsGroup := int64(0) // Match Tekton buildpack task group`
	`18`	`+ fsGroup := int64(1002) // Keep FSGroup for volume ownership`
`18`	`19`	`return &corev1.PodSecurityContext{`
`19`	`20`	`RunAsUser: &runAsUser,`
`20`	`21`	`RunAsGroup: &runAsGroup,`
`21`		`- FSGroup: &runAsGroup,`
	`22`	`+ FSGroup: &fsGroup,`
`22`	`23`	`}`
`23`	`24`	`}`
`24`	`25`