From 47d4fabb5876176d1ce677800b6c6caeb0adf41d Mon Sep 17 00:00:00 2001
From: Vijay Dharap <dharapvj@gmail.com>
Date: Sat, 12 Mar 2022 03:51:58 +0530
Subject: [PATCH] add filesystem group change policy for large minio
 deployments (#14528)

* add group change policy for large MinIO deployments
* Added Kubernetes version > 1.20 check for applying the proposed change
---
 helm/minio/templates/deployment.yaml  | 3 +++
 helm/minio/templates/statefulset.yaml | 3 +++
 helm/minio/values.yaml                | 1 +
 3 files changed, 7 insertions(+)

diff --git a/helm/minio/templates/deployment.yaml b/helm/minio/templates/deployment.yaml
index 8c987afbd..ada3253c4 100644
--- a/helm/minio/templates/deployment.yaml
+++ b/helm/minio/templates/deployment.yaml
@@ -60,6 +60,9 @@ spec:
         runAsUser: {{ .Values.securityContext.runAsUser }}
         runAsGroup: {{ .Values.securityContext.runAsGroup }}
         fsGroup: {{ .Values.securityContext.fsGroup }}
+        {{- if and (ge .Capabilities.KubeVersion.Major "1") (ge .Capabilities.KubeVersion.Minor 20) }}
+        fsGroupChangePolicy: {{ .Values.securityContext.fsGroupChangePolicy }}
+        {{- end }}
 {{- end }}
 {{ if .Values.serviceAccount.create }}
       serviceAccountName: {{ .Values.serviceAccount.name }}
diff --git a/helm/minio/templates/statefulset.yaml b/helm/minio/templates/statefulset.yaml
index bfe2aa77c..ec88fcdac 100644
--- a/helm/minio/templates/statefulset.yaml
+++ b/helm/minio/templates/statefulset.yaml
@@ -87,6 +87,9 @@ spec:
         runAsUser: {{ .Values.securityContext.runAsUser }}
         runAsGroup: {{ .Values.securityContext.runAsGroup }}
         fsGroup: {{ .Values.securityContext.fsGroup }}
+        {{- if and (ge .Capabilities.KubeVersion.Major "1") (ge .Capabilities.KubeVersion.Minor 20) }}
+        fsGroupChangePolicy: {{ .Values.securityContext.fsGroupChangePolicy }}
+        {{- end }}
 {{- end }}
 {{ if .Values.serviceAccount.create }}
       serviceAccountName: {{ .Values.serviceAccount.name }}
diff --git a/helm/minio/values.yaml b/helm/minio/values.yaml
index e503e242e..f0615227a 100644
--- a/helm/minio/values.yaml
+++ b/helm/minio/values.yaml
@@ -237,6 +237,7 @@ securityContext:
   runAsUser: 1000
   runAsGroup: 1000
   fsGroup: 1000
+  fsGroupChangePolicy: "OnRootMismatch"
 
 # Additational pod annotations
 podAnnotations: {}