Remove explicit fsGroup definition (#3926)

sigv · web-flow · commit ec1764bf472f · 2023-05-31T11:44:45.000-07:00
There is no use-case that is relevant for enforcing the `fsGroup`
as the default user's group. Our `nginx` user will already have
access to the volumes being created, as they are made with `g+rwx`.
diff --git a/deployments/daemon-set/nginx-ingress.yaml b/deployments/daemon-set/nginx-ingress.yaml
@@ -22,7 +22,6 @@ spec:
       securityContext:
         seccompProfile:
           type: RuntimeDefault
-#        fsGroup: 101 #nginx
 #      volumes:
 #      - name: nginx-etc
 #        emptyDir: {}
diff --git a/deployments/daemon-set/nginx-plus-ingress.yaml b/deployments/daemon-set/nginx-plus-ingress.yaml
@@ -22,7 +22,6 @@ spec:
       securityContext:
         seccompProfile:
           type: RuntimeDefault
-#        fsGroup: 101 #nginx
 #      volumes:
 #      - name: nginx-etc
 #        emptyDir: {}
diff --git a/deployments/deployment/nginx-ingress.yaml b/deployments/deployment/nginx-ingress.yaml
@@ -23,7 +23,6 @@ spec:
       securityContext:
         seccompProfile:
           type: RuntimeDefault
-#        fsGroup: 101 #nginx
 #      volumes:
 #      - name: nginx-etc
 #        emptyDir: {}
diff --git a/deployments/deployment/nginx-plus-ingress.yaml b/deployments/deployment/nginx-plus-ingress.yaml
@@ -23,7 +23,6 @@ spec:
       securityContext:
         seccompProfile:
           type: RuntimeDefault
-#        fsGroup: 101 #nginx
 #      volumes:
 #      - name: nginx-etc
 #        emptyDir: {}
diff --git a/deployments/helm-chart/templates/controller-daemonset.yaml b/deployments/helm-chart/templates/controller-daemonset.yaml
@@ -42,9 +42,6 @@ spec:
       securityContext:
         seccompProfile:
           type: RuntimeDefault
-{{- if .Values.controller.readOnlyRootFilesystem }}
-        fsGroup: 101 #nginx
-{{- end }}
       terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}
 {{- if .Values.controller.nodeSelector }}
       nodeSelector:
diff --git a/deployments/helm-chart/templates/controller-deployment.yaml b/deployments/helm-chart/templates/controller-deployment.yaml
@@ -80,9 +80,6 @@ spec:
       securityContext:
         seccompProfile:
           type: RuntimeDefault
-{{- if .Values.controller.readOnlyRootFilesystem }}
-        fsGroup: 101 #nginx
-{{- end }}
       terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}
       hostNetwork: {{ .Values.controller.hostNetwork }}
       dnsPolicy: {{ .Values.controller.dnsPolicy }}
diff --git a/docs/content/configuration/security.md b/docs/content/configuration/security.md
@@ -60,10 +60,6 @@ When using manifests instead of Helm, uncomment the following sections of the de
 Refer to the below code-block for guidance:
 
 ```
-#        fsGroup: 101 #nginx
-.
-.
-.
 #      volumes:
 #      - name: nginx-etc
 #        emptyDir: {}
