oracle
diff --git a/‎documentation/domains/Domain.json
Lines changed: 12 additions & 0 deletions b/‎documentation/domains/Domain.json
Lines changed: 12 additions & 0 deletions
diff --git a/‎documentation/domains/Domain.md
Lines changed: 3 additions & 0 deletions b/‎documentation/domains/Domain.md
Lines changed: 3 additions & 0 deletions
diff --git a/‎kubernetes/crd/domain-crd.yaml
Lines changed: 81 additions & 1 deletion b/‎kubernetes/crd/domain-crd.yaml
Lines changed: 81 additions & 1 deletion
diff --git a/‎operator/src/main/java/oracle/kubernetes/operator/helpers/BasePodStepContext.java
Lines changed: 8 additions & 2 deletions b/‎operator/src/main/java/oracle/kubernetes/operator/helpers/BasePodStepContext.java
Lines changed: 8 additions & 2 deletions
diff --git a/‎operator/src/main/java/oracle/kubernetes/operator/helpers/JobStepContext.java
Lines changed: 54 additions & 1 deletion b/‎operator/src/main/java/oracle/kubernetes/operator/helpers/JobStepContext.java
Lines changed: 54 additions & 1 deletion
@@ -636,6 +636,10 @@
     "InitializeDomainOnPV": {
       "type": "object",
       "properties": {
+        "runDomainInitContainerAsRoot": {
+          "description": "Specifies whether the operator will run the domain initialization init container in the introspector job as root. This may be needed in some environments to create the domain home directory on PV. Defaults to false.",
+          "type": "boolean"
+        },
         "waitForPvcToBind": {
           "description": "Specifies whether the operator will wait for the PersistentVolumeClaim to be bound before proceeding with the domain creation. Defaults to true.",
           "type": "boolean"
@@ -651,6 +655,10 @@
         "persistentVolumeClaim": {
           "description": "An optional field that describes the configuration for creating a PersistentVolumeClaim for `Domain on PV`. PersistentVolumeClaim is a user\u0027s request for and claim to a persistent volume. The operator will perform this one-time create operation only if the persistent volume claim does not already exist. Omit this section if you have manually created a persistent volume claim. If specified, the name must match one of the volumes under `serverPod.volumes` and the domain home must reside in the mount path of the volume using this claim. More info: https://oracle.github.io/weblogic-kubernetes-operator/managing-domains/domain-on-pv-initialization#pvc",
           "$ref": "#/definitions/PersistentVolumeClaim"
+        },
+        "setDefaultSecurityContextFsGroup": {
+          "description": "Specifies whether the operator will set the default \u0027fsGroup\u0027 in the introspector job pod security context. This is needed to create the domain home directory on PV in some environments. If the \u0027fsGroup\u0027 is specified as part of \u0027spec.introspector.serverPod.podSecurityContext\u0027, then the operator will use that \u0027fsGroup\u0027 instead of the default \u0027fsGroup\u0027. Defaults to true.",
+          "type": "boolean"
         }
       }
     },
@@ -666,6 +674,10 @@
     "IntrospectorJobPod": {
       "type": "object",
       "properties": {
+        "podSecurityContext": {
+          "description": "Pod-level security attributes. See `kubectl explain pods.spec.securityContext`. Beginning with operator version 4.0.5, if no value is specified for this field, the operator will use default content for the pod-level `securityContext`. More info: https://oracle.github.io/weblogic-kubernetes-operator/security/domain-security/pod-and-container/.",
+          "$ref": "https://github.com/garethr/kubernetes-json-schema/blob/master/v1.13.5/_definitions.json#/definitions/io.k8s.api.core.v1.PodSecurityContext"
+        },
         "resources": {
           "description": "Memory and CPU minimum requirements and limits for the Introspector Job Pod. See `kubectl explain pods.spec.containers.resources`.",
           "$ref": "https://github.com/garethr/kubernetes-json-schema/blob/master/v1.13.5/_definitions.json#/definitions/io.k8s.api.core.v1.ResourceRequirements"
 
@@ -226,6 +226,8 @@ The current status of the operation of the WebLogic domain. Updated automaticall
 | `domain` | [Domain On PV](#domain-on-pv) | Describes the configuration for creating an initial WebLogic Domain in persistent volume (`Domain in PV`). The operator will not recreate or update the domain if it already exists. Required. |
 | `persistentVolume` | [Persistent Volume](#persistent-volume) | An optional field that describes the configuration to create a PersistentVolume for `Domain on PV` domain. Omit this section if you have manually created a persistent volume. The operator will perform this one-time create operation only if the persistent volume does not already exist. The operator will not recreate or update the PersistentVolume when it exists. More info: https://oracle.github.io/weblogic-kubernetes-operator/managing-domains/domain-on-pv-initialization#pv |
 | `persistentVolumeClaim` | [Persistent Volume Claim](#persistent-volume-claim) | An optional field that describes the configuration for creating a PersistentVolumeClaim for `Domain on PV`. PersistentVolumeClaim is a user's request for and claim to a persistent volume. The operator will perform this one-time create operation only if the persistent volume claim does not already exist. Omit this section if you have manually created a persistent volume claim. If specified, the name must match one of the volumes under `serverPod.volumes` and the domain home must reside in the mount path of the volume using this claim. More info: https://oracle.github.io/weblogic-kubernetes-operator/managing-domains/domain-on-pv-initialization#pvc |
+| `runDomainInitContainerAsRoot` | Boolean | Specifies whether the operator will run the domain initialization init container in the introspector job as root. This may be needed in some environments to create the domain home directory on PV. Defaults to false. |
+| `setDefaultSecurityContextFsGroup` | Boolean | Specifies whether the operator will set the default 'fsGroup' in the introspector job pod security context. This is needed to create the domain home directory on PV in some environments. If the 'fsGroup' is specified as part of 'spec.introspector.serverPod.podSecurityContext', then the operator will use that 'fsGroup' instead of the default 'fsGroup'. Defaults to true. |
 | `waitForPvcToBind` | Boolean | Specifies whether the operator will wait for the PersistentVolumeClaim to be bound before proceeding with the domain creation. Defaults to true. |
 
 ### Model
@@ -256,6 +258,7 @@ The current status of the operation of the WebLogic domain. Updated automaticall
 | --- | --- | --- |
 | `env` | Array of [Env Var](k8s1.13.5.md#env-var) | A list of environment variables to set in the Introspector Job Pod container. More info: https://oracle.github.io/weblogic-kubernetes-operator/userguide/managing-domains/domain-resource/#jvm-memory-and-java-option-environment-variables. See `kubectl explain pods.spec.containers.env`. |
 | `envFrom` | Array of [Env From Source](k8s1.13.5.md#env-from-source) | List of sources to populate environment variables in the Introspector Job Pod container. The sources include either a config map or a secret. The operator will not expand the dependent variables in the 'envFrom' source. More details: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/#define-an-environment-variable-for-a-container. Also see: https://oracle.github.io/weblogic-kubernetes-operator/userguide/managing-domains/domain-resource/#jvm-memory-and-java-option-environment-variables. |
+| `podSecurityContext` | [Pod Security Context](k8s1.13.5.md#pod-security-context) | Pod-level security attributes. See `kubectl explain pods.spec.securityContext`. Beginning with operator version 4.0.5, if no value is specified for this field, the operator will use default content for the pod-level `securityContext`. More info: https://oracle.github.io/weblogic-kubernetes-operator/security/domain-security/pod-and-container/. |
 | `resources` | [Resource Requirements](k8s1.13.5.md#resource-requirements) | Memory and CPU minimum requirements and limits for the Introspector Job Pod. See `kubectl explain pods.spec.containers.resources`. |
 
 ### Probe Tuning
 
@@ -5,7 +5,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    weblogic.sha256: d96104036903924b0d3ff60ec7427ffb6fc25d8d27628c96488798e5d7520fd0
+    weblogic.sha256: dfb1401d47ad44961c30bb2ab266cb8adcf12e8933bf510d48838ffb80766065
   name: domains.weblogic.oracle
 spec:
   group: weblogic.oracle
@@ -100,6 +100,12 @@ spec:
                       when they already exist.  For more information, see https://oracle.github.io/weblogic-kubernetes-operator/managing-domains/choosing-a-model/
                       and https://oracle.github.io/weblogic-kubernetes-operator/managing-domains/domain-on-pv '
                     properties:
+                      runDomainInitContainerAsRoot:
+                        description: Specifies whether the operator will run the domain
+                          initialization init container in the introspector job as
+                          root. This may be needed in some environments to create
+                          the domain home directory on PV. Defaults to false.
+                        type: boolean
                       waitForPvcToBind:
                         description: Specifies whether the operator will wait for
                           the PersistentVolumeClaim to be bound before proceeding
@@ -471,6 +477,15 @@ spec:
                                 type: object
                             type: object
                         type: object
+                      setDefaultSecurityContextFsGroup:
+                        description: Specifies whether the operator will set the default
+                          'fsGroup' in the introspector job pod security context.
+                          This is needed to create the domain home directory on PV
+                          in some environments. If the 'fsGroup' is specified as part
+                          of 'spec.introspector.serverPod.podSecurityContext', then
+                          the operator will use that 'fsGroup' instead of the default
+                          'fsGroup'. Defaults to true.
+                        type: boolean
                     type: object
                   overrideDistributionStrategy:
                     default: Dynamic
@@ -3848,6 +3863,71 @@ spec:
                     description: Customization affecting the generation of the Introspector
                       Job Pod.
                     properties:
+                      podSecurityContext:
+                        description: 'Pod-level security attributes. See `kubectl
+                          explain pods.spec.securityContext`. Beginning with operator
+                          version 4.0.5, if no value is specified for this field,
+                          the operator will use default content for the pod-level
+                          `securityContext`. More info: https://oracle.github.io/weblogic-kubernetes-operator/security/domain-security/pod-and-container/.'
+                        properties:
+                          runAsUser:
+                            type: integer
+                          seLinuxOptions:
+                            properties:
+                              role:
+                                type: string
+                              level:
+                                type: string
+                              type:
+                                type: string
+                              user:
+                                type: string
+                            type: object
+                          fsGroup:
+                            type: integer
+                          seccompProfile:
+                            properties:
+                              localhostProfile:
+                                type: string
+                              type:
+                                type: string
+                            required:
+                            - type
+                            type: object
+                          windowsOptions:
+                            properties:
+                              gmsaCredentialSpec:
+                                type: string
+                              runAsUserName:
+                                type: string
+                              hostProcess:
+                                type: boolean
+                              gmsaCredentialSpecName:
+                                type: string
+                            type: object
+                          fsGroupChangePolicy:
+                            type: string
+                          supplementalGroups:
+                            items:
+                              type: integer
+                            type: array
+                          runAsGroup:
+                            type: integer
+                          runAsNonRoot:
+                            type: boolean
+                          sysctls:
+                            items:
+                              type: object
+                              properties:
+                                name:
+                                  type: string
+                                value:
+                                  type: string
+                              required:
+                              - name
+                              - value
+                            type: array
+                        type: object
                       resources:
                         description: Memory and CPU minimum requirements and limits
                           for the Introspector Job Pod. See `kubectl explain pods.spec.containers.resources`.
 
@@ -23,8 +23,10 @@
 import io.kubernetes.client.openapi.models.V1EnvVarSource;
 import io.kubernetes.client.openapi.models.V1HostAlias;
 import io.kubernetes.client.openapi.models.V1Pod;
+import io.kubernetes.client.openapi.models.V1PodSecurityContext;
 import io.kubernetes.client.openapi.models.V1PodSpec;
 import io.kubernetes.client.openapi.models.V1ResourceRequirements;
+import io.kubernetes.client.openapi.models.V1SecurityContext;
 import io.kubernetes.client.openapi.models.V1Toleration;
 import io.kubernetes.client.openapi.models.V1Volume;
 import io.kubernetes.client.openapi.models.V1VolumeMount;
@@ -154,13 +156,15 @@ protected V1Container createInitContainerForAuxiliaryImage(DeploymentImage auxil
             .command(Collections.singletonList(AUXILIARY_IMAGE_INIT_CONTAINER_WRAPPER_SCRIPT))
             .env(createEnv(auxiliaryImage, getName(index)))
             .resources(createResources())
-            .securityContext(PodSecurityHelper.getDefaultContainerSecurityContext())
+            .securityContext(getInitContainerSecurityContext())
             .volumeMounts(Arrays.asList(
                     new V1VolumeMount().name(AUXILIARY_IMAGE_INTERNAL_VOLUME_NAME)
                             .mountPath(AUXILIARY_IMAGE_TARGET_PATH),
                     new V1VolumeMount().name(SCRIPTS_VOLUME).mountPath(SCRIPTS_MOUNTS_PATH)));
   }
 
+  abstract V1SecurityContext getInitContainerSecurityContext();
+
   private String getName(int index) {
     return AUXILIARY_IMAGE_INIT_CONTAINER_NAME_PREFIX + (index + 1);
   }
@@ -219,10 +223,12 @@ protected V1PodSpec createPodSpec() {
         .tolerations(getTolerations())
         .hostAliases(getHostAliases())
         .restartPolicy(getServerSpec().getRestartPolicy())
-        .securityContext(getServerSpec().getPodSecurityContext())
+        .securityContext(getPodSecurityContext())
         .imagePullSecrets(getServerSpec().getImagePullSecrets());
   }
 
+  abstract V1PodSecurityContext getPodSecurityContext();
+
   private List<V1Toleration> getTolerations() {
     List<V1Toleration> tolerations = getServerSpec().getTolerations();
     return tolerations.isEmpty() ? null : tolerations;
 
@@ -62,6 +62,7 @@
 import oracle.kubernetes.weblogic.domain.model.InitializeDomainOnPV;
 import oracle.kubernetes.weblogic.domain.model.IntrospectorJobEnvVars;
 import oracle.kubernetes.weblogic.domain.model.ServerEnvVars;
+import org.jetbrains.annotations.NotNull;
 
 import static oracle.kubernetes.common.AuxiliaryImageConstants.AUXILIARY_IMAGE_TARGET_PATH;
 import static oracle.kubernetes.common.CommonConstants.COMPATIBILITY_MODE;
@@ -486,11 +487,39 @@ private void addInitDomainOnPVInitContainer(List<V1Container> initContainers) {
                 .value(getDomainHomeOnPVHomeOwnership()))
         .addEnvItem(new V1EnvVar().name(AuxiliaryImageEnvVars.AUXILIARY_IMAGE_TARGET_PATH)
             .value(AuxiliaryImageConstants.AUXILIARY_IMAGE_TARGET_PATH))
-        .securityContext(new V1SecurityContext().runAsGroup(0L).runAsUser(0L))
+        .securityContext(getInitContainerSecurityContext())
         .command(List.of(INIT_DOMAIN_ON_PV_SCRIPT))
     );
   }
 
+  @Override
+  V1SecurityContext getInitContainerSecurityContext() {
+    if (isInitDomainOnPVRunAsRoot()) {
+      return new V1SecurityContext().runAsGroup(0L).runAsUser(0L);
+    }
+    if (getPodSecurityContext().equals(new V1PodSecurityContext())) {
+      return PodSecurityHelper.getDefaultContainerSecurityContext();
+    }
+    return creatSecurityContextFromPodSecurityContext(getPodSecurityContext());
+  }
+
+  @NotNull
+  private Boolean isInitDomainOnPVRunAsRoot() {
+    return Optional.ofNullable(getDomain().getInitializeDomainOnPV())
+        .map(p -> p.getRunDomainInitContainerAsRoot()).orElse(false);
+  }
+
+  private V1SecurityContext creatSecurityContextFromPodSecurityContext(
+      V1PodSecurityContext podSecurityContext) {
+    return new V1SecurityContext()
+        .runAsUser(podSecurityContext.getRunAsUser())
+        .runAsGroup(podSecurityContext.getRunAsGroup())
+        .runAsNonRoot(podSecurityContext.getRunAsNonRoot())
+        .seccompProfile(podSecurityContext.getSeccompProfile())
+        .seLinuxOptions(podSecurityContext.getSeLinuxOptions())
+        .windowsOptions(podSecurityContext.getWindowsOptions());
+  }
+
   private String getDomainHomeOnPVHomeOwnership() {
     Long uid = Optional.ofNullable(getDomain().getAdminServerSpec())
                     .map(EffectiveServerSpec::getPodSecurityContext)
@@ -555,9 +584,33 @@ protected V1PodSpec createPodSpec() {
     if (getDefaultAntiAffinity().equals(podSpec.getAffinity())) {
       podSpec.affinity(null);
     }
+
+    if (isInitializeDomainOnPV()) {
+      V1PodSecurityContext podSecurityContext = getPodSecurityContext();
+      if (getDomain().getInitializeDomainOnPV().getSetDefaultSecurityContextFsGroup()) {
+        if (podSecurityContext.getFsGroup() == null && podSecurityContext.getRunAsGroup() != null) {
+          podSpec.securityContext(podSecurityContext.fsGroup(podSecurityContext.getRunAsGroup()));
+        } else if (podSecurityContext.getFsGroup() == null) {
+          Optional.ofNullable(TuningParameters.getInstance()).ifPresent(instance -> {
+            if (!"OpenShift".equalsIgnoreCase(instance.getKubernetesPlatform())) {
+              podSpec.securityContext(podSecurityContext.fsGroup(0L));
+            }
+          });
+        }
+        if (podSpec.getSecurityContext().getFsGroupChangePolicy() == null) {
+          podSpec.getSecurityContext().fsGroupChangePolicy("OnRootMismatch");
+        }
+      }
+    }
     return podSpec;
   }
 
+  @Override
+  V1PodSecurityContext getPodSecurityContext() {
+    return Optional.ofNullable(getDomain().getIntrospectorSpec()).map(s -> s.getPodSecurityContext())
+        .orElse(getDomain().getAdminServerSpec().getPodSecurityContext());
+  }
+
   private void addConfigOverrideSecretVolume(V1PodSpec podSpec, String secretName) {
     podSpec.addVolumesItem(
           new V1Volume()