Fix: Use fsGroupChangePolicy to prevent recursive perm changes (#592)

* Fix: Use `fsGroupChangePolicy` to prevent recursive perm changes

See https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#configure-volume-permission-and-ownership-change-policy-for-pods for more information

Refs: https://github.com/rstudio/package-manager/issues/14547

* Update helm-docs and README.md

* NEWS: Add line item for the `fsGroupChangePolicy` change

---------

Co-authored-by: GitHub Actions <[email protected]>

charts/rstudio-pm/Chart.yaml

@@ -1,6 +1,6 @@
 name: rstudio-pm
 description: Official Helm chart for Posit Package Manager
-version: 0.5.38
+version: 0.5.39
 apiVersion: v2
 appVersion: 2024.08.2
 icon: https://rstudio.com/wp-content/uploads/2018/10/RStudio-Logo-Flat.png

charts/rstudio-pm/NEWS.md

@@ -1,5 +1,11 @@
 # Changelog
 
+## 0.5.39
+
+- Add the `fsGroupChangePolicy: "OnRootMismatch"` default option to the pod's `securityContext`. This will only ensure
+  permissions and ownership change only if the permission and the ownership of root directory does not match with
+  expected permissions of the volume.
+
 ## 0.5.38
 
 - Move the values files for linting and installation testing outside the chart directory so that we can iterate on them without releasing a new version of the chart

charts/rstudio-pm/README.md

@@ -1,6 +1,6 @@
 # Posit Package Manager
 
-![Version: 0.5.38](https://img.shields.io/badge/Version-0.5.38-informational?style=flat-square) ![AppVersion: 2024.08.2](https://img.shields.io/badge/AppVersion-2024.08.2-informational?style=flat-square)
+![Version: 0.5.39](https://img.shields.io/badge/Version-0.5.39-informational?style=flat-square) ![AppVersion: 2024.08.2](https://img.shields.io/badge/AppVersion-2024.08.2-informational?style=flat-square)
 
 #### _Official Helm chart for Posit Package Manager_
 
@@ -24,11 +24,11 @@ To ensure a stable production deployment:
 
 ## Installing the chart
 
-To install the chart with the release name `my-release` at version 0.5.38:
+To install the chart with the release name `my-release` at version 0.5.39:
 
 ```{.bash}
 helm repo add rstudio https://helm.rstudio.com
-helm upgrade --install my-release rstudio/rstudio-pm --version=0.5.38
+helm upgrade --install my-release rstudio/rstudio-pm --version=0.5.39
 ```
 
 To explore other chart versions, look at:
@@ -234,7 +234,7 @@ The Helm `config` values are converted into the `rstudio-pm.gcfg` service config
 | pod.env | list | `[]` | env is an array of maps that is injected as-is into the "env:" component of the pod.container spec |
 | pod.labels | object | `{}` | Additional labels to add to the rstudio-pm pods |
 | pod.lifecycle | object | `{}` | Container [lifecycle hooks](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/) |
-| pod.securityContext | object | `{"fsGroup":999}` | the [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for the pod |
+| pod.securityContext | object | `{"fsGroup":999,"fsGroupChangePolicy":"OnRootMismatch"}` | the [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for the pod |
 | pod.serviceAccountName | string | `""` | Deprecated, use `serviceAccount.name` instead |
 | pod.terminationGracePeriodSeconds | int | `120` | The termination grace period seconds allowed for the pod before shutdown |
 | pod.volumeMounts | list | `[]` | volumeMounts is an array of maps that is injected as-is into the "volumeMounts" component of the pod spec |

charts/rstudio-pm/values.yaml

@@ -127,6 +127,7 @@ pod:
   # -- the [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for the pod
   securityContext:
     fsGroup: 999
+    fsGroupChangePolicy: "OnRootMismatch"
   # -- the [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for the main Package Manager container. Evaluated as a template.
   containerSecurityContext:
     runAsUser: 999