Merge pull request #1949 from hasbro17/haseeb/change-default-pod-UID

*: make SecurityContext configurable via PodPolicy

pkg/apis/etcd/v1beta2/cluster.go

@@ -148,6 +148,10 @@ type PodPolicy struct {
 	// busybox:latest uses uclibc which contains a bug that sometimes prevents name resolution
 	// More info: https://github.com/docker-library/busybox/issues/27
 	BusyboxImage string `json:"busyboxImage,omitempty"`
+
+	// SecurityContext specifies the security context for the entire pod
+	// More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context
+	SecurityContext *v1.PodSecurityContext `json:"securityContext,omitempty"`
 }
 
 // TODO: move this to initializer

pkg/util/k8sutil/k8sutil.go

@@ -350,9 +350,6 @@ func newEtcdPod(m *etcdutil.Member, initialCluster []string, clusterName, state,
 		}})
 	}
 
-	runAsNonRoot := true
-	podUID := int64(9000)
-	fsGroup := podUID
 	pod := &v1.Pod{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:        m.Name,
@@ -383,17 +380,20 @@ func newEtcdPod(m *etcdutil.Member, initialCluster []string, clusterName, state,
 			Hostname:                     m.Name,
 			Subdomain:                    clusterName,
 			AutomountServiceAccountToken: func(b bool) *bool { return &b }(false),
-			SecurityContext: &v1.PodSecurityContext{
-				RunAsUser:    &podUID,
-				RunAsNonRoot: &runAsNonRoot,
-				FSGroup:      &fsGroup,
-			},
+			SecurityContext:              podSecurityContext(cs.Pod),
 		},
 	}
 	SetEtcdVersion(pod, cs.Version)
 	return pod
 }
 
+func podSecurityContext(podPolicy *api.PodPolicy) *v1.PodSecurityContext {
+	if podPolicy == nil {
+		return nil
+	}
+	return podPolicy.SecurityContext
+}
+
 func NewEtcdPod(m *etcdutil.Member, initialCluster []string, clusterName, state, token string, cs api.ClusterSpec, owner metav1.OwnerReference) *v1.Pod {
 	pod := newEtcdPod(m, initialCluster, clusterName, state, token, cs)
 	applyPodPolicy(clusterName, pod, cs.Pod)