`fsGroupChangePolicy: "OnRootMismatch"` is not set

[dee-kryvenko]

Describe the bug

This helm chart is setting fsGroup. When fsGroup is used, most of the times unless there are reasons not to - fsGroupChangePolicy: "OnRootMismatch" must be set. This is especially relevant for Jenkins with its CPS/survivability implementation. My Jenkins instance has 31 million xml files. To attach a volume - takes 15+ minutes, and that's super performant nvme ssd based volume. Probably could take an hour on a regular EBS or something like that.

Version of Helm and Kubernetes

- Helm: 
- Kubernetes:

Chart version

irrelevant

What happened?

1.
2.
3.
...

What you expected to happen?

No response

How to reproduce it

No response

Anything else we need to know?

No response

[timja]

Did you want to send a pull request?

[mohanisch-sixt]

As far as I can see podSecurityContextOverride should make it:

  podSecurityContextOverride:
    runAsUser: 1000
    fsGroup: 1000
    fsGroupChangePolicy: "OnRootMismatch"
    runAsNonRoot: true
    supplementalGroups: [1000]

[dee-kryvenko]

Yes I can send a PR when I get a minute. @mohanisch-sixt I am currently using podSecurityContextOverride as a workaround, however

1. Chart is setting fsGroup by default with no user input, which without fsGroupChangePolicy to go with it results in a non-optimal settings. For unexperienced user, this may not be evident what the problem is and why it takes 15+ minutes to start Jenkins.
2. podSecurityContextOverride currently requires me to set a bunch of other options that I would like to leave default. If this chart tomorrow decides to change runAsUser, I should not be required to inspect every commit line by line on the off chance my override needs to change as well.