Merge pull request #1950 from hasbro17/haseeb/update-CHANGELOG-security-context

hasbro17 · web-flow · commit 7d6f95a84346 · 2018-04-12T10:53:00.000-07:00
*: update CHANGELOG and add spec example for SecurityContext
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,11 +2,14 @@
 
 ### Added
 
+- Added the field `spec.pod.securityContext` to `EtcdCluster` that allows setting a specific [PodSecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) for the etcd pods. [#1949](https://github.com/coreos/etcd-operator/pull/1949)
+
 ### Changed
 
 - Update Go version to 1.10
 - Build `gcr.io/coreos-k8s-scale-testing/etcd-operator-builder:0.4.1-2` container
   with Go 1.10 and dep 0.4.1
+- etcd pod containers no longer run with a non-root security context by default. This setting can be configured per cluster via the PodPolicy.
 
 ### Removed
 
diff --git a/doc/user/spec_examples.md b/doc/user/spec_examples.md
@@ -83,5 +83,21 @@ spec:
       prometheus.io/port: "2379"
 ```
 
+## Custom pod security context
+
+For more information on pod security context see the Kubernetes [docs][pod-security-context].
+
+```yaml
+spec:
+  size: 3
+  pod:
+    securityContext:
+      runAsNonRoot: true
+      runAsUser: 9000
+      # The FSGroup is needed to let the etcd container access mounted volumes
+      fsGroup: 9000
+```
+
 
 [cluster-tls]: cluster_tls.md
+[pod-security-context]: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
