Fix 1324: Add fs_group_change_policy for the pod security_context

[GDegrove]

Description

Update the pod specification to allow the usage of the security_context option fsGroupChangePolicy. This options is available in version 1.20.0+ of kubernetes prevents pods from starting if they mount volumes with a high amount a files.

Acceptance tests

• [x] Have you added an acceptance test for the functionality being added?
• [x] Have you run the acceptance tests on this branch?

Output from acceptance testing:

KUBE_CONFIG_PATH='~/.kube/config' make testacc TESTARGS='-run=TestAccKubernetesPod_with_pod_security_context_fs_group_change_policy'
==> Checking that code complies with gofmt requirements...
go vet .
rm -rf /home/<username>/dev/repo/misc/terraform-provider-kubernetes/kubernetes/test-infra/external-providers/.terraform /home/<username>/dev/repo/misc/terraform-provider-kubernetes/kubernetes/test-infra/external-providers/.terraform.lock.hcl || true
mkdir /home/<username>/dev/repo/misc/terraform-provider-kubernetes/kubernetes/test-infra/external-providers/.terraform
mkdir -p /tmp/.terraform.d/localhost/test/kubernetes/9.9.9/linux_amd64 || true
ls /tmp/.terraform.d/localhost/test/kubernetes/9.9.9/linux_amd64/terraform-provider-kubernetes_9.9.9_linux_amd64 || go build -o /tmp/.terraform.d/localhost/test/kubernetes/9.9.9/linux_amd64/terraform-provider-kubernetes_9.9.9_linux_amd64
/tmp/.terraform.d/localhost/test/kubernetes/9.9.9/linux_amd64/terraform-provider-kubernetes_9.9.9_linux_amd64
cd /home/<username>/dev/repo/misc/terraform-provider-kubernetes/kubernetes/test-infra/external-providers && TF_CLI_CONFIG_FILE=/home/<username>/dev/repo/misc/terraform-provider-kubernetes/kubernetes/test-infra/external-providers/.terraformrc TF_PLUGIN_CACHE_DIR=/home/<username>/dev/repo/misc/terraform-provider-kubernetes/kubernetes/test-infra/external-providers/.terraform terraform init -upgrade

Initializing the backend...

Initializing provider plugins...
- Finding localhost/test/kubernetes versions matching "9.9.9"...
- Installing localhost/test/kubernetes v9.9.9...
- Installed localhost/test/kubernetes v9.9.9 (unauthenticated)

Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
TF_CLI_CONFIG_FILE=/home/<username>/dev/repo/misc/terraform-provider-kubernetes/kubernetes/test-infra/external-providers/.terraformrc TF_PLUGIN_CACHE_DIR=/home/<username>/dev/repo/misc/terraform-provider-kubernetes/kubernetes/test-infra/external-providers/.terraform TF_ACC=1 go test "/home/<username>/dev/repo/misc/terraform-provider-kubernetes/kubernetes" -v -run=TestAccKubernetesPod_with_pod_security_context_fs_group_change_policy -timeout 120m
=== RUN   TestAccKubernetesPod_with_pod_security_context_fs_group_change_policy
--- PASS: TestAccKubernetesPod_with_pod_security_context_fs_group_change_policy (22.95s)
PASS
ok  	github.com/hashicorp/terraform-provider-kubernetes/kubernetes	23.010s

Release Note

Release note for CHANGELOG:

Add `fs_group_change_policy` for pod `security_context` 

References

resolves #1324

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

[hashicorp-cla]

All committers have signed the CLA.

[GDegrove]

The new option is only available in version 1.20.0 of k8s. What is the preferred way to handle that in the provider? I did not see anything related to that (yet). I think there are tests that are only run when the version accept the option, would it be something that is required to add here?

[yecs1999]

Any way to get a reviewer on this?

[arybolovlev]

Hi @GDegrove,

Thank you for your contribution. I am going to review your changes. In the meantime, could you please update related provider documentation in website/docs?

Thanks!

[arybolovlev]

Can you please rebase your branch to address conflicts and catch up with all the latest changes?

Thank you.

[sheneska]

Merged in #1892

[github-actions[bot]]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.