From 6e76fd68f0378fc9c1708bd494770e6f22985886 Mon Sep 17 00:00:00 2001
From: Simon Metzger <smnmtzgr@gmail.com>
Date: Wed, 21 Apr 2021 21:12:26 +0200
Subject: [PATCH] allow fsGroup values greater than zero (#1822)

change the policy require-non-root-groups to allow fsGroup values greater than zero

Signed-off-by: Metzger, Simon <smnmtzgr@gmail.com>
---
 .../policies/restricted/require-non-root-groups.yaml        | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/charts/kyverno/templates/policies/restricted/require-non-root-groups.yaml b/charts/kyverno/templates/policies/restricted/require-non-root-groups.yaml
index 40e5d56ffbc1..4b950c3a4b07 100644
--- a/charts/kyverno/templates/policies/restricted/require-non-root-groups.yaml
+++ b/charts/kyverno/templates/policies/restricted/require-non-root-groups.yaml
@@ -56,10 +56,10 @@ spec:
             - Pod
       validate:
         message: >-
-          Changing of file system groups is not allowed. The field	
-          spec.securityContext.fsGroup must not be defined.
+          Changing to root group ID is disallowed. The field
+          spec.securityContext.fsGroup must be empty or greater than zero.
         pattern:
           spec:
             =(securityContext):
-              X(fsGroup): "*"
+              =(fsGroup): ">0"
 {{- end -}}
\ No newline at end of file