From a1a3a6037ff32773257cab730f43b815ecba065f Mon Sep 17 00:00:00 2001 From: shreddedbacon Date: Fri, 29 Sep 2023 17:13:10 +1000 Subject: [PATCH] refactor: wrap the injection in a feature flag --- legacy/build-deploy-docker-compose.sh | 4 +++- legacy/helmcharts/basic-persistent/values.yaml | 3 +-- legacy/helmcharts/cli-persistent/values.yaml | 3 +-- legacy/helmcharts/nginx-php-persistent/values.yaml | 3 +-- legacy/helmcharts/node-persistent/values.yaml | 4 ++-- legacy/helmcharts/python-persistent/values.yaml | 3 +-- legacy/helmcharts/worker-persistent/values.yaml | 3 +-- 7 files changed, 10 insertions(+), 13 deletions(-) diff --git a/legacy/build-deploy-docker-compose.sh b/legacy/build-deploy-docker-compose.sh index 8dd9e3d4..c2828008 100755 --- a/legacy/build-deploy-docker-compose.sh +++ b/legacy/build-deploy-docker-compose.sh @@ -856,7 +856,9 @@ set +x if [ "$(featureFlag ROOTLESS_WORKLOAD)" = enabled ]; then yq3 merge -ix -- /kubectl-build-deploy/values.yaml /kubectl-build-deploy/rootless.values.yaml fi - +if [ "$(featureFlag FS_ON_ROOT_MISMATCH)" = enabled ]; then + yq3 write -i -- /kubectl-build-deploy/values.yaml 'podSecurityContext.fsGroupChangePolicy' "OnRootMismatch" +fi if [ "${SCC_CHECK}" != "false" ]; then # openshift permissions are different, this is to set the fsgroup to the supplemental group from the openshift annotations # this applies it to all deployments in this environment because we don't isolate by service type its applied to all diff --git a/legacy/helmcharts/basic-persistent/values.yaml b/legacy/helmcharts/basic-persistent/values.yaml index fe7d263f..b8a3ff16 100644 --- a/legacy/helmcharts/basic-persistent/values.yaml +++ b/legacy/helmcharts/basic-persistent/values.yaml @@ -17,8 +17,7 @@ imagePullSecrets: [] nameOverride: "" fullnameOverride: "" -podSecurityContext: - fsGroupChangePolicy: "OnRootMismatch" +podSecurityContext: {} securityContext: {} # capabilities: diff --git a/legacy/helmcharts/cli-persistent/values.yaml b/legacy/helmcharts/cli-persistent/values.yaml index 19f94f0c..4f736c5c 100644 --- a/legacy/helmcharts/cli-persistent/values.yaml +++ b/legacy/helmcharts/cli-persistent/values.yaml @@ -19,8 +19,7 @@ imagePullSecrets: [] nameOverride: "" fullnameOverride: "" -podSecurityContext: - fsGroupChangePolicy: "OnRootMismatch" +podSecurityContext: {} securityContext: {} # capabilities: diff --git a/legacy/helmcharts/nginx-php-persistent/values.yaml b/legacy/helmcharts/nginx-php-persistent/values.yaml index 0cd05b1f..3395ff9d 100644 --- a/legacy/helmcharts/nginx-php-persistent/values.yaml +++ b/legacy/helmcharts/nginx-php-persistent/values.yaml @@ -19,8 +19,7 @@ imagePullSecrets: [] nameOverride: "" fullnameOverride: "" -podSecurityContext: - fsGroupChangePolicy: "OnRootMismatch" +podSecurityContext: {} securityContext: {} # capabilities: diff --git a/legacy/helmcharts/node-persistent/values.yaml b/legacy/helmcharts/node-persistent/values.yaml index eea9ab53..0ce6dfef 100644 --- a/legacy/helmcharts/node-persistent/values.yaml +++ b/legacy/helmcharts/node-persistent/values.yaml @@ -17,8 +17,8 @@ imagePullSecrets: [] nameOverride: "" fullnameOverride: "" -podSecurityContext: - fsGroupChangePolicy: "OnRootMismatch" +podSecurityContext: {} + securityContext: {} # capabilities: # drop: diff --git a/legacy/helmcharts/python-persistent/values.yaml b/legacy/helmcharts/python-persistent/values.yaml index eb57eed9..8bbdf7c4 100644 --- a/legacy/helmcharts/python-persistent/values.yaml +++ b/legacy/helmcharts/python-persistent/values.yaml @@ -17,8 +17,7 @@ imagePullSecrets: [] nameOverride: "" fullnameOverride: "" -podSecurityContext: - fsGroupChangePolicy: "OnRootMismatch" +podSecurityContext: {} securityContext: {} # capabilities: diff --git a/legacy/helmcharts/worker-persistent/values.yaml b/legacy/helmcharts/worker-persistent/values.yaml index 69737050..a0bfa83a 100644 --- a/legacy/helmcharts/worker-persistent/values.yaml +++ b/legacy/helmcharts/worker-persistent/values.yaml @@ -19,8 +19,7 @@ imagePullSecrets: [] nameOverride: "" fullnameOverride: "" -podSecurityContext: - fsGroupChangePolicy: "OnRootMismatch" +podSecurityContext: {} securityContext: {} # capabilities: