add back the fsGroup to default to 33 and add notes about why in README

nextcloud · Apr 23, 2023 · a5d1faa · a5d1faa
1 parent 4ee5f70
commit a5d1faa
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 11 deletions.
diff --git a/charts/nextcloud/README.md b/charts/nextcloud/README.md
@@ -106,12 +106,13 @@ The following table lists the configurable parameters of the nextcloud chart and
 | `nextcloud.extraInitContainers`                                      | specify additional init containers                                                     | `[]`                                         |
 | `nextcloud.extraVolumes`                                             | specify additional volumes for the NextCloud pod                                       | `{}`                                         |
 | `nextcloud.extraVolumeMounts`                                        | specify additional volume mounts for the NextCloud pod                                 | `{}`                                         |
-| `nextcloud.securityContext`                                          | Optional security context for the NextCloud container                                  | `{}` populated with below 3 options          |
+| `nextcloud.securityContext`                                          | Optional security context for the NextCloud container                                  | `{}` populated with below 4 options          |
 | `nextcloud.securityContext.runAsUser`                                | Optional security context for the NextCloud container to run as UID                    | `33`                                         |
 | `nextcloud.securityContext.runAsGroup`                               | Optional security context for the NextCloud container to run as GID                    | `33`                                         |
 | `nextcloud.securityContext.runAsNonRoot`                             | Optional security context for the NextCloud container to not run as root               | `true`                                       |
 | `nextcloud.securityContext.allowPrivilegeEscalation`                 | Optional security context for the NextCloud container to limit Privilege Escalation    | `false`                                      |
-| `nextcloud.podSecurityContext`                                       | Optional security context for the NextCloud pod (applies to all containers in the pod) | `nil`                                        |
+| `nextcloud.podSecurityContext`                                       | Optional security context for the NextCloud pod (applies to all containers in the pod) | `{fsgroup: 33}`                              |
+| `nextcloud.podSecurityContext.fsGroup`                               | special supplemental group that applies to all containers in the NextCloud pod         | `33`                                         |
 | `nginx.enabled`                                                      | Enable nginx (requires you use php-fpm image)                                          | `false`                                      |
 | `nginx.image.repository`                                             | nginx Image name                                                                       | `nginx`                                      |
 | `nginx.image.tag`                                                    | nginx Image tag                                                                        | `alpine`                                     |
@@ -427,4 +428,6 @@ These are all the [securityContext](https://kubernetes.io/docs/reference/generat
 | `cronjob.securityContext.runAsNonRoot`   | Optional security context for cronjob                                                  |
 | `nextcloud.podSecurityContext`           | Optional security context for the NextCloud pod (applies to all containers in the pod) |
 
-By default, only the `nextcloud.securityContext.runAsUser` and `nextcloud.securityContext.runAsGroup` for the nextcloud container are set, and the UID defaults to `33`, which is the UID of the `www-data` user. If you're using a nextcloud image with Alpine as the base, set this to `82`, the `www-data` user on alpine.
+For the container, by default, only the `nextcloud.securityContext.runAsUser` and `nextcloud.securityContext.runAsGroup` for the nextcloud container are set, and the UID defaults to `33`, which is the UID of the `www-data` user. If you're using a nextcloud image with Alpine as the base, set this to `82`, the `www-data` user on alpine.
+
+For the pod, `nextcloud.podSecurityContext.fsGroup` is set to `33` by default. You should set this to `82` if you're using an alpine image. See more about how this special option works [here](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#podsecuritycontext-v1-core).
diff --git a/charts/nextcloud/values.yaml b/charts/nextcloud/values.yaml
@@ -200,14 +200,14 @@ nextcloud:
     allowPrivilegeEscalation: false
     # readOnlyRootFilesystem: false
 
-  # Set securityContext parameters for all containers in the nextcloud pod.
-  # For example, you may need to define fsGroup to change the default permissions for volumes
-  podSecurityContext: {}
-  #   fsGroup: 33
-  #   runAsUser: 33
-  #   runAsGroup: 33
-  #   runAsNonRoot: true
-  #   readOnlyRootFilesystem: false
+  # Set securityContext parameters for all containers in the nextcloud pod, defaults to fsGroup `33`
+  # For example, you may need to define fsGroup to be `82` if you're using alpine and you want to change the default permissions for volumes
+  podSecurityContext:
+    fsGroup: 33
+    # runAsUser: 33
+    # runAsGroup: 33
+    # runAsNonRoot: true
+    # readOnlyRootFilesystem: false
 
 nginx:
   ## You need to set an fpm version of the image for nextcloud if you want to use nginx!