Merge pull request #1679 from niklastreml/fix/supplemental-groups

fix: pass complete security context to pods

Author: pepov

pkg/resources/fluentd/appconfigmap.go

@@ -262,17 +262,11 @@ func (r *Reconciler) newCheckPod(hashKey string, fluentdSpec v1beta1.FluentdSpec
 			Tolerations:        fluentdSpec.Tolerations,
 			Affinity:           fluentdSpec.Affinity,
 			PriorityClassName:  fluentdSpec.PodPriorityClassName,
-			SecurityContext: &corev1.PodSecurityContext{
-				RunAsNonRoot:   fluentdSpec.Security.PodSecurityContext.RunAsNonRoot,
-				FSGroup:        fluentdSpec.Security.PodSecurityContext.FSGroup,
-				RunAsUser:      fluentdSpec.Security.PodSecurityContext.RunAsUser,
-				RunAsGroup:     fluentdSpec.Security.PodSecurityContext.RunAsGroup,
-				SeccompProfile: fluentdSpec.Security.PodSecurityContext.SeccompProfile,
-			},
-			Volumes:          volumes,
-			ImagePullSecrets: fluentdSpec.Image.ImagePullSecrets,
-			InitContainers:   initContainer,
-			Containers:       container,
+			SecurityContext:    fluentdSpec.Security.PodSecurityContext,
+			Volumes:            volumes,
+			ImagePullSecrets:   fluentdSpec.Image.ImagePullSecrets,
+			InitContainers:     initContainer,
+			Containers:         container,
 		},
 	}
 	if fluentdSpec.ConfigCheckAnnotations != nil {

pkg/resources/fluentd/drainjob.go

@@ -65,14 +65,8 @@ func (r *Reconciler) drainerJobFor(pvc corev1.PersistentVolumeClaim, fluentdSpec
 				Affinity:                  fluentdSpec.Affinity,
 				TopologySpreadConstraints: fluentdSpec.TopologySpreadConstraints,
 				PriorityClassName:         fluentdSpec.PodPriorityClassName,
-				SecurityContext: &corev1.PodSecurityContext{
-					RunAsNonRoot:   fluentdSpec.Security.PodSecurityContext.RunAsNonRoot,
-					FSGroup:        fluentdSpec.Security.PodSecurityContext.FSGroup,
-					RunAsUser:      fluentdSpec.Security.PodSecurityContext.RunAsUser,
-					RunAsGroup:     fluentdSpec.Security.PodSecurityContext.RunAsGroup,
-					SeccompProfile: fluentdSpec.Security.PodSecurityContext.SeccompProfile,
-				},
-				RestartPolicy: corev1.RestartPolicyNever,
+				SecurityContext:           fluentdSpec.Security.PodSecurityContext,
+				RestartPolicy:             corev1.RestartPolicyNever,
 			},
 		},
 	}

pkg/resources/fluentd/statefulset.go

@@ -125,13 +125,7 @@ func (r *Reconciler) statefulsetSpec() *appsv1.StatefulSetSpec {
 				PriorityClassName:         r.fluentdSpec.PodPriorityClassName,
 				DNSPolicy:                 r.fluentdSpec.DNSPolicy,
 				DNSConfig:                 r.fluentdSpec.DNSConfig,
-				SecurityContext: &corev1.PodSecurityContext{
-					RunAsNonRoot:   r.fluentdSpec.Security.PodSecurityContext.RunAsNonRoot,
-					FSGroup:        r.fluentdSpec.Security.PodSecurityContext.FSGroup,
-					RunAsUser:      r.fluentdSpec.Security.PodSecurityContext.RunAsUser,
-					RunAsGroup:     r.fluentdSpec.Security.PodSecurityContext.RunAsGroup,
-					SeccompProfile: r.fluentdSpec.Security.PodSecurityContext.SeccompProfile,
-				},
+				SecurityContext:           r.fluentdSpec.Security.PodSecurityContext,
 			},
 		},
 		ServiceName: r.Logging.QualifiedName(ServiceName + "-headless"),