Merge pull request #389 from portworx/pb-7598

pb-7598: Removed default addition of the RunAsGroup in the securityAc…
portworx · Jul 19, 2024 · 1f487d1 · 1f487d1
2 parents 63e0fa2 + 1e023b9
commit 1f487d1
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 3 deletions.
diff --git a/pkg/drivers/nfsbackup/nfsbackup.go b/pkg/drivers/nfsbackup/nfsbackup.go
@@ -281,7 +281,9 @@ func jobForBackupResource(
 	// The Job is intended to backup resources to  NFS backuplocation
 	// and it doesn't need a specific JOB uid/gid since it will be sqaushed at NFS server
 	// hence used a global hardcoded UID/GID.
-	job, err = utils.AddSecurityContextToJob(job, utils.KdmpJobUid, utils.KdmpJobGid)
+	// Not passing the groupId as we do not want to set the RunAsGroup field in the securityContext
+	// This helps us in setting the primaryGroup ID to root for the user ID.
+	job, err = utils.AddSecurityContextToJob(job, utils.KdmpJobUid, "")
 	if err != nil {
 		return nil, err
 	}

diff --git a/pkg/drivers/nfsrestore/nfsrestore.go b/pkg/drivers/nfsrestore/nfsrestore.go
@@ -321,7 +321,9 @@ func jobForRestoreResource(
 			},
 		},
 	}
-	job, err = utils.AddSecurityContextToJob(job, utils.KdmpJobUid, utils.KdmpJobGid)
+	// Not passing the groupId as we do not want to set the RunAsGroup field in the securityContext
+	// This helps us in setting the primaryGroup ID to root for the user ID.
+	job, err = utils.AddSecurityContextToJob(job, utils.KdmpJobUid, "")
 	if err != nil {
 		return nil, err
 	}

diff --git a/pkg/drivers/utils/utils.go b/pkg/drivers/utils/utils.go
@@ -1019,7 +1019,10 @@ func AddSecurityContextToJob(job *batchv1.Job, podUserId, podGroupId string) (*b
 	// if the namespace is OCP, then overwrite the UID and GID from the namespace annotation
 	if isOcp {
 		podUserId = ocpUid
-		podGroupId = ocpGid
+		// In the case of the OCP, we will not update the groupId.
+		if podGroupId != "" {
+			podGroupId = ocpGid
+		}
 	}
 
 	if podUserId != "" {