[cherry-pick][CDAP-21258] Add FSGroupChangePolicy support to SecurityContext#167
[cherry-pick][CDAP-21258] Add FSGroupChangePolicy support to SecurityContext#167sidhdirenge wants to merge 1 commit into
Conversation
Add fsGroupChangePolicy support to the custom SecurityContext struct. This allows configuring fsGroupChangePolicy (e.g., OnRootMismatch) at the pod level for CDAP services like logs, significantly reducing pod startup latency on large volumes. Includes OpenAPI v3 validation enum and updated unit test cases.
There was a problem hiding this comment.
Code Review
This pull request adds support for the FSGroupChangePolicy field in the SecurityContext of the CDAP operator, updating the API, templates, and test configurations. However, the changes to config/rbac/role.yaml severely restrict the RBAC permissions for configmaps and services to only create, which will cause the operator to fail during reconciliation. Full CRUD capabilities must be restored for these resources to function properly.
| verbs: | ||
| - create |
There was a problem hiding this comment.
The RBAC permissions for 'configmaps' and 'services' have been severely restricted to only 'create'. The operator requires full CRUD capabilities ('get', 'list', 'watch', 'create', 'update', 'patch', 'delete') for both resources to function properly (e.g., in 'ConfigMapHandler' and 'ServiceHandler'). This change will cause the operator to fail during reconciliation.
verbs:
- create
- delete
- get
- list
- patch
- update
- watchThere was a problem hiding this comment.
The diff is combining configmaps and services into a single rule block containing all verbs; the other CRUD verbs are still in the file but hidden from the diff as unchanged context.
Cherry-pick : #164