allow fsGroup values greater than zero (#1822)

change the policy require-non-root-groups to allow fsGroup values greater than zero Signed-off-by: Metzger, Simon <smnmtzgr@gmail.com>
kyverno · Apr 21, 2021 · 6e76fd6 · 6e76fd6
1 parent b5fd235
commit 6e76fd6
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/charts/kyverno/templates/policies/restricted/require-non-root-groups.yaml b/charts/kyverno/templates/policies/restricted/require-non-root-groups.yaml
@@ -56,10 +56,10 @@ spec:
             - Pod
       validate:
         message: >-
-          Changing of file system groups is not allowed. The field	
-          spec.securityContext.fsGroup must not be defined.
+          Changing to root group ID is disallowed. The field
+          spec.securityContext.fsGroup must be empty or greater than zero.
         pattern:
           spec:
             =(securityContext):
-              X(fsGroup): "*"
+              =(fsGroup): ">0"
 {{- end -}}