Epic Goal*

What is our purpose in implementing this?  What new capability will be available to customers?

pod.spec.securityContext.fsGroupChangePolicy is set to "always" by default today and this can make pod containing lot of files slow to start or even timeout.

An OnRootMismatch option has been added which tells kubelet to skip recursive chmod if the top level directory matches what has been defined in the resource definition.

However this new option needs to be explicitely set in the pod's definition and not all users think about it leading to fallback to the "always"

The goal of this epic is to provide a way to set fsGroupChangePolicy default value per namespace so that admins can define an appropriate default depending on the namespace.

 
Why is this important? (mandatory)

What are the benefits to the customer or Red Hat?   Does it improve security, performance, supportability, etc?  Why is work a priority?

fsGroupChangePolicy always is known to be problematic, customers needs a way to set OnRootMismatch per namespace in order to avoid relying on user's to set it in their definitions.

 
Scenarios (mandatory) 

Provide details for user scenarios including actions to be performed, platform specifications, and user personas.  

1. As an OCP admin I want to be able to define fsGroupChangePolicy on a per namespace basis.
2. Global default remains the same (always)

 
Dependencies (internal and external) (mandatory)

What items must be delivered by other teams/groups to enable delivery of this epic. 

Contributing Teams(and contacts) (mandatory) 

Our expectation is that teams would modify the list below to fit the epic. Some epics may not need all the default groups but what is included here should accurately reflect who will be involved in delivering the epic.

• Development - 
• Documentation -
• QE - 
• PX - 
• Others -

Acceptance Criteria (optional)

Provide some (testable) examples of how we will know if we have achieved the epic goal.  

Drawbacks or Risk (optional)

Reasons we should consider NOT doing this such as: limited audience for the feature, feature will be superseded by other work that is planned, resulting feature will introduce substantial administrative complexity or user confusion, etc.

Done - Checklist (mandatory)

The following points apply to all epics and are what the OpenShift team believes are the minimum set of criteria that epics should meet for us to consider them potentially shippable. We request that epic owners modify this list to reflect the work to be completed in order to produce something that is potentially shippable.

• CI Testing -  Basic e2e automationTests are merged and completing successfully
• Documentation - Content development is complete.
• QE - Test scenarios are written and executed successfully.
• Technical Enablement - Slides are complete (if requested by PLM)
• Engineering Stories Merged
• All associated work items with the Epic are closed
• Epic status should be “Release Pending”