Enforcing fsGroup to 65535 breaks backups on OpenShift

[timbrd]

After creating a BackupConfiguration, all my deployments on OpenShift 3.11 get updated with "fsGroup: 65535". I think it is related to this merge request.

This breaks my deployments and the side car containers though, since the default group Id on OpenShift is 1000350000.

29s         1m           14      jira-software-8.15e71c7ff5dcb5e9                              ReplicationController                                    Warning   FailedCreate                       replication-controller                              Error creating: pods "jira-software-8-" is forbidden: unable to validate against any security context constraint: [fsGroup: Invalid value: []int64{65535}: 65535 is not an allowed group]
2s          13m          9       jira-home-backup-1578260760.15e71bce7eb1a32f                  Job                                                      Warning   FailedCreate                       job-controller                                      Error creating: pods "jira-home-backup-1578260760-" is forbidden: unable to validate against any security context constraint: [fsGroup: Invalid value: []int64{65535}: 65535 is not an allowed group]

After adding the "restricted" security context to the serviceaccounts, the pods start up.

$ oc adm policy add-scc-to-user restricted -z jira-home-backup
$ oc adm policy add-scc-to-user restricted -z default

For obious reasons I don't want to give these serviceaccounts privileged rights though.

Is there are way to disable setting the fsGroup on the deployment configurations?

[timbrd]

I use stash v0.9.0-rc.1 (not *rc.2 !)

[hossainemruz]

This should be fixed by v0.9.0-rc.6. Feel free to re-open if it doesn't.

[timbrd]

Now the pod starts, but there is still an event which says that the operator pod could not be created due a security context violation:

[...]
1m          1m           1       stash-operator.15fc914605ce32c3                    Deployment                                  Normal    ScalingReplicaSet   deployment-controller                                            Scaled up replica set stash-operator-dbc7f86cf to 1
59s         59s          1       stash-operator-dbc7f86cf-q9x6x.15fc9146470b4bd4    Pod                                         Normal    Scheduled           default-scheduler                                                Successfully assigned stash-operator/stash-operator-dbc7f86cf-q9x6x to appnode02vp.okd.c01-3-nc.mydomain.com
59s         59s          7       stash-operator-dbc7f86cf.15fc9146113218d1          ReplicaSet                                  Warning   FailedCreate        replicaset-controller                                            Error creating: pods "stash-operator-dbc7f86cf-" is forbidden: unable to validate against any security context constraint: [fsGroup: Invalid value: []int64{65535}: 65535 is not an allowed group]
59s         59s          1       stash-operator-dbc7f86cf.15fc914645e90127          ReplicaSet                                  Normal    SuccessfulCreate    replicaset-controller                                            Created pod: stash-operator-dbc7f86cf-q9x6x
[...]

➜ / oc get all
NAME                                 READY   STATUS    RESTARTS   AGE
pod/stash-operator-dbc7f86cf-q9x6x   2/2     Running   0          4m

NAME                     TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)             AGE
service/stash-operator   ClusterIP   172.30.132.53   <none>        443/TCP,56789/TCP   4m

NAME                             DESIRED   CURRENT   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/stash-operator   1         1         1            1           4m

NAME                                       DESIRED   CURRENT   READY   AGE
replicaset.apps/stash-operator-dbc7f86cf   1         1         1       4m