Set FS group security context for non OCP clusters (#6814)

This is the default in openshift, but some storage implementations will look for this value when configuring the filesystem on a PVC. Resolves https://issues.redhat.com/browse/MGMT-18996
openshift · Oct 3, 2024 · 341f986 · 341f986
1 parent 2939e07
commit 341f986
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 2 deletions.
diff --git a/internal/controller/controllers/agentserviceconfig_controller.go b/internal/controller/controllers/agentserviceconfig_controller.go
@@ -1485,6 +1485,12 @@ func newImageServiceStatefulSet(ctx context.Context, log logrus.FieldLogger, asc
 		statefulSet.Spec.Replicas = &replicas
 		statefulSet.Spec.Template.Spec.ServiceAccountName = imageServiceName
 
+		if !asc.rec.IsOpenShift {
+			statefulSet.Spec.Template.Spec.SecurityContext = &corev1.PodSecurityContext{
+				FSGroup: swag.Int64(0),
+			}
+		}
+
 		volumes := statefulSet.Spec.Template.Spec.Volumes
 		if asc.rec.IsOpenShift {
 			volumes = ensureVolume(volumes, corev1.Volume{
@@ -2042,6 +2048,12 @@ func newAssistedServiceDeployment(ctx context.Context, log logrus.FieldLogger, a
 		deployment.Spec.Template.Spec.Volumes = volumes
 		deployment.Spec.Template.Spec.ServiceAccountName = serviceAccountName
 
+		if !asc.rec.IsOpenShift {
+			deployment.Spec.Template.Spec.SecurityContext = &corev1.PodSecurityContext{
+				FSGroup: swag.Int64(0),
+			}
+		}
+
 		if asc.rec.NodeSelector != nil {
 			deployment.Spec.Template.Spec.NodeSelector = asc.rec.NodeSelector
 		} else {

diff --git a/internal/controller/controllers/agentserviceconfig_controller_test.go b/internal/controller/controllers/agentserviceconfig_controller_test.go
@@ -2876,7 +2876,7 @@ var _ = Describe("Reconcile on non-OCP clusters", func() {
 		Expect(cm.Data["SERVICE_CA_CERT_PATH"]).To(Equal("/etc/assisted-ingress-cert/ca.crt"))
 	})
 
-	It("creates the assisted deployment without serving https, but with ingress https config", func() {
+	It("creates the assisted deployment correctly", func() {
 		res, err := reconciler.Reconcile(ctx, newAgentServiceConfigRequest(asc))
 		Expect(err).To(BeNil())
 		Expect(res).To(Equal(ctrl.Result{Requeue: true}))
@@ -2909,9 +2909,12 @@ var _ = Describe("Reconcile on non-OCP clusters", func() {
 		By("ensure probe scheme is http")
 		Expect(container.ReadinessProbe.ProbeHandler.HTTPGet.Scheme).To(Equal(corev1.URISchemeHTTP))
 		Expect(container.LivenessProbe.ProbeHandler.HTTPGet.Scheme).To(Equal(corev1.URISchemeHTTP))
+
+		By("ensure fs group is set")
+		Expect(deploy.Spec.Template.Spec.SecurityContext.FSGroup).To(HaveValue(Equal(int64(0))))
 	})
 
-	It("creates the image service statefulset without https config", func() {
+	It("creates the image service statefulset correctly", func() {
 		res, err := reconciler.Reconcile(ctx, newAgentServiceConfigRequest(asc))
 		Expect(err).To(BeNil())
 		Expect(res).To(Equal(ctrl.Result{Requeue: true}))
@@ -2939,6 +2942,9 @@ var _ = Describe("Reconcile on non-OCP clusters", func() {
 		By("ensure probe scheme is http")
 		Expect(container.ReadinessProbe.ProbeHandler.HTTPGet.Scheme).To(Equal(corev1.URISchemeHTTP))
 		Expect(container.LivenessProbe.ProbeHandler.HTTPGet.Scheme).To(Equal(corev1.URISchemeHTTP))
+
+		By("ensure fs group is set")
+		Expect(ss.Spec.Template.Spec.SecurityContext.FSGroup).To(HaveValue(Equal(int64(0))))
 	})
 
 	validateIngress := func(ingress *netv1.Ingress, host string, service string, port int32) {