From 1e023b919a719123d0d6f285e5a5e65ead310975 Mon Sep 17 00:00:00 2001 From: sivakumar subraani Date: Thu, 18 Jul 2024 10:33:49 +0000 Subject: [PATCH] pb-7598: Removed default addition of the RunAsGroup in the securityAccount. --- pkg/drivers/nfsbackup/nfsbackup.go | 4 +++- pkg/drivers/nfsrestore/nfsrestore.go | 4 +++- pkg/drivers/utils/utils.go | 5 ++++- 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/pkg/drivers/nfsbackup/nfsbackup.go b/pkg/drivers/nfsbackup/nfsbackup.go index 6e576d20..9704b131 100644 --- a/pkg/drivers/nfsbackup/nfsbackup.go +++ b/pkg/drivers/nfsbackup/nfsbackup.go @@ -281,7 +281,9 @@ func jobForBackupResource( // The Job is intended to backup resources to NFS backuplocation // and it doesn't need a specific JOB uid/gid since it will be sqaushed at NFS server // hence used a global hardcoded UID/GID. - job, err = utils.AddSecurityContextToJob(job, utils.KdmpJobUid, utils.KdmpJobGid) + // Not passing the groupId as we do not want to set the RunAsGroup field in the securityContext + // This helps us in setting the primaryGroup ID to root for the user ID. + job, err = utils.AddSecurityContextToJob(job, utils.KdmpJobUid, "") if err != nil { return nil, err } diff --git a/pkg/drivers/nfsrestore/nfsrestore.go b/pkg/drivers/nfsrestore/nfsrestore.go index b9be4c7a..881ef272 100644 --- a/pkg/drivers/nfsrestore/nfsrestore.go +++ b/pkg/drivers/nfsrestore/nfsrestore.go @@ -321,7 +321,9 @@ func jobForRestoreResource( }, }, } - job, err = utils.AddSecurityContextToJob(job, utils.KdmpJobUid, utils.KdmpJobGid) + // Not passing the groupId as we do not want to set the RunAsGroup field in the securityContext + // This helps us in setting the primaryGroup ID to root for the user ID. + job, err = utils.AddSecurityContextToJob(job, utils.KdmpJobUid, "") if err != nil { return nil, err } diff --git a/pkg/drivers/utils/utils.go b/pkg/drivers/utils/utils.go index ddbe00cd..5c328b2e 100644 --- a/pkg/drivers/utils/utils.go +++ b/pkg/drivers/utils/utils.go @@ -1019,7 +1019,10 @@ func AddSecurityContextToJob(job *batchv1.Job, podUserId, podGroupId string) (*b // if the namespace is OCP, then overwrite the UID and GID from the namespace annotation if isOcp { podUserId = ocpUid - podGroupId = ocpGid + // In the case of the OCP, we will not update the groupId. + if podGroupId != "" { + podGroupId = ocpGid + } } if podUserId != "" {