We have defined a pod template (kubernetes plugin) for Jenkins agent pod. As part of that we have also added Raw YAML for the Pod we need to define fsGroup in securityContext at Pod level. A portion of the manifest is given below. The securityContext (fsGroup: 1001) is added just above the container. However this is not reflecting, and during runtime, we checked in the manifest generated by Jenkins the securityContext is getting added after the container level.
apiVersion: v1
kind: Pod
metadata:
labels:
jenkins/label: jenkins-jenkins-003-jenkins-agent
name: default
namespace: jenkins
spec:
securityContext:
fsGroup: 1001
containers:
- args:
…
I was unable to follow your question. It would be best to show an actual, self-contained, minimal Pipeline script including pod template YAML, and show the resulting Pod YAML, and explain what you think is wrong with the result. Also be sure to indicate whether you are using the restrictedPssSecurityContext flag in the cloud, as in Apply restricted PSS to all containers when enabled by Vlatombe · Pull Request #1571 · jenkinsci/kubernetes-plugin · GitHub and linked PRs.
We have defined a PVC in the Pod Template that we want to mount in efs path /opt/mount. We want to give Jenkins (uid 1001) file write permissin in this path so we have added securityContext: fsGroup: 1001 in same level and above container. But still Jenkins is getting permission issue. In the Job console below is the agent pod manifest auto-generated by Jenkins. There I can see securityContext: fsGroup: 1001 is getting added after container.
Below manifest is generated by Jenkins during Job execution.
Agent default-xtz3z is provisioned from template default
"
apiVersion: “v1”
kind: “Pod”
metadata:
labels:
jenkins/jenkins-jenkins-003-jenkins-agent: “true”
jenkins/label: “jenkins-jenkins-003-jenkins-agent”
jenkins/label-digest: “"
kubernetes.jenkins.io/controller: "”
name: “default-xtz3z”
namespace: “jenkins”
spec:
containers:
- args:
- “********”
- “default-xtz3z”
env: - name: “JENKINS_SECRET”
value: “********” - name: “JENKINS_TUNNEL”
value: ****************** - name: “JENKINS_AGENT_NAME”
value: “default-xtz3z” - name: “REMOTING_OPTS”
value: “-noReconnectAfter 1d” - name: “JENKINS_NAME”
value: “default-xtz3z” - name: “JENKINS_AGENT_WORKDIR”
value: “/home/jenkins/agent” - name: “JENKINS_URL”
value: ************************
image:
imagePullPolicy: “IfNotPresent”
name: “jnlp”
resources: {}
tty: false
volumeMounts: - mountPath: “/home/jenkins/agent”
name: “workspace-volume”
readOnly: false - mountPath: “/opt/mount”
name: “volume-0”
readOnly: false
workingDir: “/home/jenkins/agent”
hostNetwork: false
restartPolicy: “Never”
securityContext:
fsGroup: 1001
runAsUser: 1001
serviceAccountName:
volumes:
- name: “volume-0”
persistentVolumeClaim:
claimName: “jenkins-efs”
readOnly: false - emptyDir:
medium: “”
name: “workspace-volume”
"