fix(pvc): set fsGroup to ensure mounts writable

[ebaron]

This sets a SecurityContext for the Cryostat Pod, where fsGroup is set to 0. This means that the files and directories in the mounted persistent volume are owned and writable by the root group, which the Cryostat container is always executing as [1].

With this fix applied on the problematic cluster:

$ ls -l /opt/cryostat.d/
total 192
drwxrwsr-x. 2 root  root   4096 Aug 31 21:26 clientlib.d
drwxrwsr-x. 4 root  root   4096 Aug 31 21:26 conf.d
drwxrwsr-x. 2 root  root   4096 Aug 31 21:26 recordings.d
drwxrwsr-x. 2 root  root   4096 Aug 31 21:26 templates.d
-rwxrwxr-x. 1 root  root    472 Jul  9 19:52 truststore-setup.sh
-rw-rw-r--. 1 jboss root 170412 Aug 31 21:26 truststore.p12
-rw-rw-r--. 1 jboss root     33 Jul  9 19:53 truststore.pass

Fixes #243

[1] https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#podsecuritycontext-v1-core

[ebaron]

@andrewazores Sorry for the change. I was thinking about it, and using something arbitrary instead of 0 should be a little more secure. I picked 18500, based off of the jboss UID. All containers have GID 0. If this PV is in use by more than one pod, then those containers would have read/write access based on their shared GID. By setting it to 18500, those pods would also need to belong to GID 18500 to access the volume. I'm not certain, but at best it's more secure, at worst it should be no less secure than using 0.

[andrewazores]

Makes sense.

[andrewazores]

Could there be any situation where an end user might need to deploy with some other GID?

[ebaron]

Only if to avoid a conflict they want to avoid with GIDs of other pods I think. It seems fairly unlikely to me, unless there's something I'm not thinking of. The fsGroup property adds the group as a supplemental GID for the container user, it's still part of the root group as well. The fsGroup GID is only used when setting ownership of mounted volumes. The main reason we need any fsGroup is to cause Kubernetes to add the group-writable permission.