From 985e8d366f3b7af717dcf060294df9709c218b64 Mon Sep 17 00:00:00 2001
From: MinIO Bot <minio.bot@minio.io>
Date: Thu, 16 Feb 2023 17:10:51 -0500
Subject: [PATCH] Let OpenShift pick its own users, don't hardcode them

---
 .../statefulsets/minio-statefulset.go         | 27 ++++++++++++++-----
 1 file changed, 20 insertions(+), 7 deletions(-)

diff --git a/pkg/resources/statefulsets/minio-statefulset.go b/pkg/resources/statefulsets/minio-statefulset.go
index 2749eb31586..207f1515e71 100644
--- a/pkg/resources/statefulsets/minio-statefulset.go
+++ b/pkg/resources/statefulsets/minio-statefulset.go
@@ -420,28 +420,41 @@ func poolSecurityContext(pool *miniov2.Pool, status *miniov2.PoolStatus) *v1.Pod
 
 // Builds the security context for containers in a Pool
 func poolContainerSecurityContext(pool *miniov2.Pool) *v1.SecurityContext {
+	// Default values:
+	// By default, values should be totally empty if not provided
+	// This is specially needed in OpenShift where Security Context Constraints restrict them
+	// if let empty then OCP can pick the values from the constraints defined.
+	containerSecurityContext := corev1.SecurityContext{}
 	runAsNonRoot := true
 	var runAsUser int64 = 1000
 	var runAsGroup int64 = 1000
-	// Default to Pod values
+	poolSCSet := false
+
+	// Values from pool.SecurityContext ONLY if provided
 	if pool.SecurityContext != nil {
 		if pool.SecurityContext.RunAsNonRoot != nil {
 			runAsNonRoot = *pool.SecurityContext.RunAsNonRoot
+			poolSCSet = true
 		}
 		if pool.SecurityContext.RunAsUser != nil {
 			runAsUser = *pool.SecurityContext.RunAsUser
+			poolSCSet = true
 		}
 		if pool.SecurityContext.RunAsGroup != nil {
 			runAsGroup = *pool.SecurityContext.RunAsGroup
+			poolSCSet = true
+		}
+		if poolSCSet {
+			// Only set values if one of above is set otherwise let it empty
+			containerSecurityContext = corev1.SecurityContext{
+				RunAsNonRoot: &runAsNonRoot,
+				RunAsUser:    &runAsUser,
+				RunAsGroup:   &runAsGroup,
+			}
 		}
 	}
 
-	containerSecurityContext := corev1.SecurityContext{
-		RunAsNonRoot: &runAsNonRoot,
-		RunAsUser:    &runAsUser,
-		RunAsGroup:   &runAsGroup,
-	}
-
+	// Values from pool.ContainerSecurityContext if provided
 	if pool != nil && pool.ContainerSecurityContext != nil {
 		containerSecurityContext = *pool.ContainerSecurityContext
 	}