From 423df6618d1f5484ea428dcd32371e67bb4c49d4 Mon Sep 17 00:00:00 2001
From: Shane McDonald <me@shanemcd.com>
Date: Wed, 10 Jun 2020 13:35:41 -0400
Subject: [PATCH] Force containers in k8s to run under root group

Normally containers belong to the 'root' group, but for some reason the
downstream red hat scl redis image only belongs to the 'redis' group by default. This fixes that.
---
 installer/roles/kubernetes/templates/configmap.yml.j2  | 2 +-
 installer/roles/kubernetes/templates/deployment.yml.j2 | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/installer/roles/kubernetes/templates/configmap.yml.j2 b/installer/roles/kubernetes/templates/configmap.yml.j2
index c657fa9df7..b7553811c1 100644
--- a/installer/roles/kubernetes/templates/configmap.yml.j2
+++ b/installer/roles/kubernetes/templates/configmap.yml.j2
@@ -202,6 +202,6 @@ data:
 
   {{ kubernetes_deployment_name }}_redis_conf: |
     unixsocket /var/run/redis/redis.sock
-    unixsocketperm 777
+    unixsocketperm 660
     port 0
     bind 127.0.0.1
diff --git a/installer/roles/kubernetes/templates/deployment.yml.j2 b/installer/roles/kubernetes/templates/deployment.yml.j2
index 22ce12153a..1f2d2c213d 100644
--- a/installer/roles/kubernetes/templates/deployment.yml.j2
+++ b/installer/roles/kubernetes/templates/deployment.yml.j2
@@ -40,6 +40,8 @@ spec:
         app: {{ kubernetes_deployment_name }}
     spec:
       serviceAccountName: awx
+      securityContext:
+        fsGroup: 0
       terminationGracePeriodSeconds: 10
 {% if custom_venvs is defined %}
 {% set trusted_hosts = "" %}