POC set fsGroup when function is non-root

**What**
- Set the PodSecurityGroup fsGroup value when the function is non-root.
  This is needed in AWS EKS to enable the container access to the
  ServiceAccount token. This token, in AWS, will be an IAM API token
  that can be used to access AWS services.  Non-root functions will
  otherwise not be able to open the token file, preventing integration
  with AWS services via IAM.

Resovles openfaas#598

Signed-off-by: Lucas Roesler <[email protected]>

k8s/securityContext.go

@@ -13,6 +13,12 @@ import (
 // value >10000 per the suggestion from https://kubesec.io/basics/containers-securitycontext-runasuser/
 const SecurityContextUserID = int64(12000)
 
+// SecurityContextFSGroup is the arbitrary FSGroup ID value we will set when the pod is configured
+// to run as non-root. This is useful in AWS EKS to allow the container to access the service
+// account token, per these docs
+// https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html
+const SecurityContextFSGroup = int64(12000)
+
 // ConfigureContainerUserID sets the UID to 12000 for the function Container.  Defaults to user
 // specified in image metadata if `SetNonRootUser` is `false`. Root == 0.
 func (f *FunctionFactory) ConfigureContainerUserID(deployment *appsv1.Deployment) {
@@ -23,6 +29,15 @@ func (f *FunctionFactory) ConfigureContainerUserID(deployment *appsv1.Deployment
 		functionUser = &userID
 	}
 
+	if deployment.Spec.Template.Spec.SecurityContext == nil {
+		deployment.Spec.Template.Spec.SecurityContext = &corev1.PodSecurityContext{}
+	}
+
+	if f.Config.SetNonRootUser {
+		groupID := SecurityContextFSGroup
+		deployment.Spec.Template.Spec.SecurityContext.FSGroup = &groupID
+	}
+
 	if deployment.Spec.Template.Spec.Containers[0].SecurityContext == nil {
 		deployment.Spec.Template.Spec.Containers[0].SecurityContext = &corev1.SecurityContext{}
 	}