Allow users to set containers[*].securityContext.runAsGroup

pkg/apis/serving/fieldmask.go

@@ -609,15 +609,18 @@ func SecurityContextMask(ctx context.Context, in *corev1.SecurityContext) *corev
 	out := new(corev1.SecurityContext)
 
 	// Allowed fields
+	out.Capabilities = in.Capabilities
+	out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem
 	out.RunAsUser = in.RunAsUser
+	out.RunAsGroup = in.RunAsGroup
+
+	// Can only be set to 'true' - unless the PodSpecSecurityContext feature flag is enabled
 	if in.RunAsNonRoot != nil && *in.RunAsNonRoot {
 		out.RunAsNonRoot = in.RunAsNonRoot
 	}
-	out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem
-	out.Capabilities = in.Capabilities
 
 	if config.FromContextOrDefaults(ctx).Features.PodSpecSecurityContext != config.Disabled {
-		out.RunAsGroup = in.RunAsGroup
+		// Allow setting to false
 		out.RunAsNonRoot = in.RunAsNonRoot
 	}
 	// Disallowed

pkg/apis/serving/fieldmask_test.go

@@ -722,6 +722,7 @@ func TestSecurityContextMask(t *testing.T) {
 	want := &corev1.SecurityContext{
 		Capabilities:           &corev1.Capabilities{},
 		RunAsUser:              ptr.Int64(1),
+		RunAsGroup:             ptr.Int64(2),
 		RunAsNonRoot:           ptr.Bool(true),
 		ReadOnlyRootFilesystem: ptr.Bool(true),
 	}

pkg/apis/serving/k8s_validation_test.go

@@ -1392,10 +1392,10 @@ func TestContainerValidation(t *testing.T) {
 		c: corev1.Container{
 			Image: "foo",
 			SecurityContext: &corev1.SecurityContext{
-				RunAsGroup: ptr.Int64(10),
+				Privileged: ptr.Bool(true),
 			},
 		},
-		want: apis.ErrDisallowedFields("securityContext.runAsGroup"),
+		want: apis.ErrDisallowedFields("securityContext.privileged"),
 	}, {
 		name: "not allowed to add a security context capability",
 		c: corev1.Container{