Added explicit PodSecurityContext to have write access to the data vo… (#406)

razvan · razvan · commit 30e441faac37 · 2022-02-08T12:17:18.000Z
…lumes.

## Description

Tested on Azure and with Kind.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,7 @@ All notable changes to this project will be documented in this file.
 
 - Enabled Prometheus scraping ([#380]).
 - ZookeeperZnode.spec.clusterRef.namespace now defaults to .metadata.namespace ([#382]).
+- PodSecurityContext.fsGroup to allow write access to mounted volumes ([406]).
 
 ### Changed
 
@@ -22,6 +23,7 @@ All notable changes to this project will be documented in this file.
 [#380]: https://github.com/stackabletech/zookeeper-operator/pull/380
 [#382]: https://github.com/stackabletech/zookeeper-operator/pull/382
 [#384]: https://github.com/stackabletech/zookeeper-operator/pull/384
+[#406]: https://github.com/stackabletech/zookeeper-operator/pull/406
 
 ## [0.8.0] - 2021-12-22
 
diff --git a/rust/operator-binary/src/zk_controller.rs b/rust/operator-binary/src/zk_controller.rs
@@ -21,8 +21,9 @@ use stackable_operator::{
             apps::v1::{StatefulSet, StatefulSetSpec},
             core::v1::{
                 ConfigMap, ConfigMapVolumeSource, EnvVar, EnvVarSource, ExecAction,
-                ObjectFieldSelector, PersistentVolumeClaim, PersistentVolumeClaimSpec, Probe,
-                ResourceRequirements, SecurityContext, Service, ServicePort, ServiceSpec, Volume,
+                ObjectFieldSelector, PersistentVolumeClaim, PersistentVolumeClaimSpec,
+                PodSecurityContext, Probe, ResourceRequirements, SecurityContext, Service,
+                ServicePort, ServiceSpec, Volume,
             },
         },
         apimachinery::pkg::{api::resource::Quantity, apis::meta::v1::LabelSelector},
@@ -496,6 +497,10 @@ fn build_server_rolegroup_statefulset(
                     }),
                     ..Volume::default()
                 })
+                .security_context(PodSecurityContext {
+                    fs_group: Some(1000),
+                    ..PodSecurityContext::default()
+                })
                 .build_template(),
             volume_claim_templates: Some(vec![PersistentVolumeClaim {
                 metadata: ObjectMeta {
