fix: fsGroup has to be set on pod securityContext level, not container (falcondev-oss#83)

okgolove · web-flow · commit 772e7ac1960f · 2024-12-20T01:12:41.000+08:00
diff --git a/install/kubernetes/github-actions-cache-server/Chart.yaml b/install/kubernetes/github-actions-cache-server/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
+version: 0.1.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
diff --git a/install/kubernetes/github-actions-cache-server/templates/deployment.yaml b/install/kubernetes/github-actions-cache-server/templates/deployment.yaml
@@ -34,6 +34,8 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       serviceAccountName: {{ include "github-actions-cache-server.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
       containers:
         - name: {{ .Chart.Name }}
           securityContext:
diff --git a/install/kubernetes/github-actions-cache-server/values.yaml b/install/kubernetes/github-actions-cache-server/values.yaml
@@ -31,14 +31,16 @@ serviceAccount:
 podAnnotations: {}
 podLabels: {}
 
+podSecurityContext:
+  fsGroup: 1000
+
 securityContext:
   capabilities:
     drop:
       - ALL
   readOnlyRootFilesystem: true
   runAsNonRoot: true
   runAsUser: 1000
-  fsGroup: 1000
 
 service:
   type: ClusterIP
