Skip to content

Commit

Permalink
Merge pull request #1679 from niklastreml/fix/supplemental-groups
Browse files Browse the repository at this point in the history
fix: pass complete security context to pods
  • Loading branch information
pepov authored Feb 28, 2024
2 parents 7c2e729 + 37a91ac commit db85ac6
Show file tree
Hide file tree
Showing 3 changed files with 8 additions and 26 deletions.
16 changes: 5 additions & 11 deletions pkg/resources/fluentd/appconfigmap.go
Original file line number Diff line number Diff line change
Expand Up @@ -262,17 +262,11 @@ func (r *Reconciler) newCheckPod(hashKey string, fluentdSpec v1beta1.FluentdSpec
Tolerations: fluentdSpec.Tolerations,
Affinity: fluentdSpec.Affinity,
PriorityClassName: fluentdSpec.PodPriorityClassName,
SecurityContext: &corev1.PodSecurityContext{
RunAsNonRoot: fluentdSpec.Security.PodSecurityContext.RunAsNonRoot,
FSGroup: fluentdSpec.Security.PodSecurityContext.FSGroup,
RunAsUser: fluentdSpec.Security.PodSecurityContext.RunAsUser,
RunAsGroup: fluentdSpec.Security.PodSecurityContext.RunAsGroup,
SeccompProfile: fluentdSpec.Security.PodSecurityContext.SeccompProfile,
},
Volumes: volumes,
ImagePullSecrets: fluentdSpec.Image.ImagePullSecrets,
InitContainers: initContainer,
Containers: container,
SecurityContext: fluentdSpec.Security.PodSecurityContext,
Volumes: volumes,
ImagePullSecrets: fluentdSpec.Image.ImagePullSecrets,
InitContainers: initContainer,
Containers: container,
},
}
if fluentdSpec.ConfigCheckAnnotations != nil {
Expand Down
10 changes: 2 additions & 8 deletions pkg/resources/fluentd/drainjob.go
Original file line number Diff line number Diff line change
Expand Up @@ -65,14 +65,8 @@ func (r *Reconciler) drainerJobFor(pvc corev1.PersistentVolumeClaim, fluentdSpec
Affinity: fluentdSpec.Affinity,
TopologySpreadConstraints: fluentdSpec.TopologySpreadConstraints,
PriorityClassName: fluentdSpec.PodPriorityClassName,
SecurityContext: &corev1.PodSecurityContext{
RunAsNonRoot: fluentdSpec.Security.PodSecurityContext.RunAsNonRoot,
FSGroup: fluentdSpec.Security.PodSecurityContext.FSGroup,
RunAsUser: fluentdSpec.Security.PodSecurityContext.RunAsUser,
RunAsGroup: fluentdSpec.Security.PodSecurityContext.RunAsGroup,
SeccompProfile: fluentdSpec.Security.PodSecurityContext.SeccompProfile,
},
RestartPolicy: corev1.RestartPolicyNever,
SecurityContext: fluentdSpec.Security.PodSecurityContext,
RestartPolicy: corev1.RestartPolicyNever,
},
},
}
Expand Down
8 changes: 1 addition & 7 deletions pkg/resources/fluentd/statefulset.go
Original file line number Diff line number Diff line change
Expand Up @@ -125,13 +125,7 @@ func (r *Reconciler) statefulsetSpec() *appsv1.StatefulSetSpec {
PriorityClassName: r.fluentdSpec.PodPriorityClassName,
DNSPolicy: r.fluentdSpec.DNSPolicy,
DNSConfig: r.fluentdSpec.DNSConfig,
SecurityContext: &corev1.PodSecurityContext{
RunAsNonRoot: r.fluentdSpec.Security.PodSecurityContext.RunAsNonRoot,
FSGroup: r.fluentdSpec.Security.PodSecurityContext.FSGroup,
RunAsUser: r.fluentdSpec.Security.PodSecurityContext.RunAsUser,
RunAsGroup: r.fluentdSpec.Security.PodSecurityContext.RunAsGroup,
SeccompProfile: r.fluentdSpec.Security.PodSecurityContext.SeccompProfile,
},
SecurityContext: r.fluentdSpec.Security.PodSecurityContext,
},
},
ServiceName: r.Logging.QualifiedName(ServiceName + "-headless"),
Expand Down

0 comments on commit db85ac6

Please sign in to comment.