I just deployed a small charm with the fsGroup set and via some debugging confirmed that the values are set in the statefulset Spec.Template when the statefulset create API is called.
We’ll have to do some investigation as to why aspects of the Spec.Template are not being applied as requested.
{
...
"containers": [
{
"name": "mariadb-k8s",
"image": "mariadb",
"ports": [
{
"containerPort": 3306,
"protocol": "TCP"
}
],
"env": [
{
"name": "MYSQL_DATABASE",
"value": "database"
},
{
"name": "MYSQL_PASSWORD",
"value": "password"
},
{
"name": "MYSQL_ROOT_PASSWORD",
"value": "root"
},
{
"name": "MYSQL_USER",
"value": "admin"
},
{
"name": "NODE_NAME",
"valueFrom": {
"fieldRef": {
"apiVersion": "v1",
"fieldPath": "spec.nodeName"
}
}
}
],
"resources": {},
"volumeMounts": [
{
"name": "juju-data-dir",
"mountPath": "/var/lib/juju"
},
{
"name": "juju-data-dir",
"mountPath": "/usr/bin/juju-run",
"subPath": "tools/jujud"
},
{
"name": "mariadb-k8s-configurations-config",
"mountPath": "/etc/mysql/conf.d"
}
],
"securityContext": {
"runAsNonRoot": false,
"readOnlyRootFilesystem": false,
"allowPrivilegeEscalation": true
}
}
],
"serviceAccountName": "mariadb-k8s",
"automountServiceAccountToken": true,
"securityContext": {
"fsGroup": 2
}
}