Allow to set Supplemental Groups or fsGroup for the registry via the command line

contrib/completions/bash/oadm

@@ -4669,6 +4669,8 @@ _oadm_registry()
     local_nonpersistent_flags+=("--dry-run")
     flags+=("--enforce-quota")
     local_nonpersistent_flags+=("--enforce-quota")
+    flags+=("--fs-group=")
+    local_nonpersistent_flags+=("--fs-group=")
     flags+=("--images=")
     local_nonpersistent_flags+=("--images=")
     flags+=("--labels=")
@@ -4690,6 +4692,8 @@ _oadm_registry()
     local_nonpersistent_flags+=("--selector=")
     flags+=("--service-account=")
     local_nonpersistent_flags+=("--service-account=")
+    flags+=("--supplemental-groups=")
+    local_nonpersistent_flags+=("--supplemental-groups=")
     flags+=("--tls-certificate=")
     local_nonpersistent_flags+=("--tls-certificate=")
     flags+=("--tls-key=")

contrib/completions/bash/oc

@@ -4674,6 +4674,8 @@ _oc_adm_registry()
     local_nonpersistent_flags+=("--dry-run")
     flags+=("--enforce-quota")
     local_nonpersistent_flags+=("--enforce-quota")
+    flags+=("--fs-group=")
+    local_nonpersistent_flags+=("--fs-group=")
     flags+=("--images=")
     local_nonpersistent_flags+=("--images=")
     flags+=("--labels=")
@@ -4695,6 +4697,8 @@ _oc_adm_registry()
     local_nonpersistent_flags+=("--selector=")
     flags+=("--service-account=")
     local_nonpersistent_flags+=("--service-account=")
+    flags+=("--supplemental-groups=")
+    local_nonpersistent_flags+=("--supplemental-groups=")
     flags+=("--tls-certificate=")
     local_nonpersistent_flags+=("--tls-certificate=")
     flags+=("--tls-key=")

contrib/completions/bash/openshift

@@ -4669,6 +4669,8 @@ _openshift_admin_registry()
     local_nonpersistent_flags+=("--dry-run")
     flags+=("--enforce-quota")
     local_nonpersistent_flags+=("--enforce-quota")
+    flags+=("--fs-group=")
+    local_nonpersistent_flags+=("--fs-group=")
     flags+=("--images=")
     local_nonpersistent_flags+=("--images=")
     flags+=("--labels=")
@@ -4690,6 +4692,8 @@ _openshift_admin_registry()
     local_nonpersistent_flags+=("--selector=")
     flags+=("--service-account=")
     local_nonpersistent_flags+=("--service-account=")
+    flags+=("--supplemental-groups=")
+    local_nonpersistent_flags+=("--supplemental-groups=")
     flags+=("--tls-certificate=")
     local_nonpersistent_flags+=("--tls-certificate=")
     flags+=("--tls-key=")
@@ -9752,6 +9756,8 @@ _openshift_cli_adm_registry()
     local_nonpersistent_flags+=("--dry-run")
     flags+=("--enforce-quota")
     local_nonpersistent_flags+=("--enforce-quota")
+    flags+=("--fs-group=")
+    local_nonpersistent_flags+=("--fs-group=")
     flags+=("--images=")
     local_nonpersistent_flags+=("--images=")
     flags+=("--labels=")
@@ -9773,6 +9779,8 @@ _openshift_cli_adm_registry()
     local_nonpersistent_flags+=("--selector=")
     flags+=("--service-account=")
     local_nonpersistent_flags+=("--service-account=")
+    flags+=("--supplemental-groups=")
+    local_nonpersistent_flags+=("--supplemental-groups=")
     flags+=("--tls-certificate=")
     local_nonpersistent_flags+=("--tls-certificate=")
     flags+=("--tls-key=")

contrib/completions/zsh/oadm

@@ -4817,6 +4817,8 @@ _oadm_registry()
     local_nonpersistent_flags+=("--dry-run")
     flags+=("--enforce-quota")
     local_nonpersistent_flags+=("--enforce-quota")
+    flags+=("--fs-group=")
+    local_nonpersistent_flags+=("--fs-group=")
     flags+=("--images=")
     local_nonpersistent_flags+=("--images=")
     flags+=("--labels=")
@@ -4838,6 +4840,8 @@ _oadm_registry()
     local_nonpersistent_flags+=("--selector=")
     flags+=("--service-account=")
     local_nonpersistent_flags+=("--service-account=")
+    flags+=("--supplemental-groups=")
+    local_nonpersistent_flags+=("--supplemental-groups=")
     flags+=("--tls-certificate=")
     local_nonpersistent_flags+=("--tls-certificate=")
     flags+=("--tls-key=")

contrib/completions/zsh/oc

@@ -4822,6 +4822,8 @@ _oc_adm_registry()
     local_nonpersistent_flags+=("--dry-run")
     flags+=("--enforce-quota")
     local_nonpersistent_flags+=("--enforce-quota")
+    flags+=("--fs-group=")
+    local_nonpersistent_flags+=("--fs-group=")
     flags+=("--images=")
     local_nonpersistent_flags+=("--images=")
     flags+=("--labels=")
@@ -4843,6 +4845,8 @@ _oc_adm_registry()
     local_nonpersistent_flags+=("--selector=")
     flags+=("--service-account=")
     local_nonpersistent_flags+=("--service-account=")
+    flags+=("--supplemental-groups=")
+    local_nonpersistent_flags+=("--supplemental-groups=")
     flags+=("--tls-certificate=")
     local_nonpersistent_flags+=("--tls-certificate=")
     flags+=("--tls-key=")

contrib/completions/zsh/openshift

@@ -4817,6 +4817,8 @@ _openshift_admin_registry()
     local_nonpersistent_flags+=("--dry-run")
     flags+=("--enforce-quota")
     local_nonpersistent_flags+=("--enforce-quota")
+    flags+=("--fs-group=")
+    local_nonpersistent_flags+=("--fs-group=")
     flags+=("--images=")
     local_nonpersistent_flags+=("--images=")
     flags+=("--labels=")
@@ -4838,6 +4840,8 @@ _openshift_admin_registry()
     local_nonpersistent_flags+=("--selector=")
     flags+=("--service-account=")
     local_nonpersistent_flags+=("--service-account=")
+    flags+=("--supplemental-groups=")
+    local_nonpersistent_flags+=("--supplemental-groups=")
     flags+=("--tls-certificate=")
     local_nonpersistent_flags+=("--tls-certificate=")
     flags+=("--tls-key=")
@@ -9900,6 +9904,8 @@ _openshift_cli_adm_registry()
     local_nonpersistent_flags+=("--dry-run")
     flags+=("--enforce-quota")
     local_nonpersistent_flags+=("--enforce-quota")
+    flags+=("--fs-group=")
+    local_nonpersistent_flags+=("--fs-group=")
     flags+=("--images=")
     local_nonpersistent_flags+=("--images=")
     flags+=("--labels=")
@@ -9921,6 +9927,8 @@ _openshift_cli_adm_registry()
     local_nonpersistent_flags+=("--selector=")
     flags+=("--service-account=")
     local_nonpersistent_flags+=("--service-account=")
+    flags+=("--supplemental-groups=")
+    local_nonpersistent_flags+=("--supplemental-groups=")
     flags+=("--tls-certificate=")
     local_nonpersistent_flags+=("--tls-certificate=")
     flags+=("--tls-key=")

pkg/cmd/admin/registry/registry.go

@@ -108,6 +108,11 @@ type RegistryConfig struct {
 	DaemonSet      bool
 	EnforceQuota   bool
 
+	// SupplementalGroups is list of int64, however cobra does not have appropriate func
+	// for that type list.
+	SupplementalGroups []string
+	FSGroup            string
+
 	ServingCertPath string
 	ServingKeyPath  string
 
@@ -181,6 +186,8 @@ func NewCmdRegistry(f *clientcmd.Factory, parentName, name string, out, errout i
 	cmd.Flags().StringVar(&cfg.Selector, "selector", cfg.Selector, "Selector used to filter nodes on deployment. Used to run registries on a specific set of nodes.")
 	cmd.Flags().StringVar(&cfg.ServingCertPath, "tls-certificate", cfg.ServingCertPath, "An optional path to a PEM encoded certificate (which may contain the private key) for serving over TLS")
 	cmd.Flags().StringVar(&cfg.ServingKeyPath, "tls-key", cfg.ServingKeyPath, "An optional path to a PEM encoded private key for serving over TLS")
+	cmd.Flags().StringSliceVar(&cfg.SupplementalGroups, "supplemental-groups", cfg.SupplementalGroups, "Specify supplemental groups which is an array of ID's that grants group access to registry shared storage")
+	cmd.Flags().StringVar(&cfg.FSGroup, "fs-group", "", "Specify fsGroup which is an ID that grants group access to registry block storage")
 	cmd.Flags().BoolVar(&cfg.DaemonSet, "daemonset", cfg.DaemonSet, "If true, use a daemonset instead of a deployment config.")
 	cmd.Flags().BoolVar(&cfg.EnforceQuota, "enforce-quota", cfg.EnforceQuota, "If true, the registry will refuse to write blobs if they exceed quota limits")
 
@@ -224,6 +231,23 @@ func (opts *RegistryOptions) Complete(f *clientcmd.Factory, cmd *cobra.Command,
 		opts.nodeSelector = valid
 	}
 
+	if len(opts.Config.FSGroup) > 0 {
+		if _, err := strconv.ParseInt(opts.Config.FSGroup, 10, 64); err != nil {
+			return kcmdutil.UsageError(cmd, "invalid group ID %q specified for fsGroup (%v)", opts.Config.FSGroup, err)
+		}
+	}
+
+	if len(opts.Config.SupplementalGroups) > 0 {
+		for _, v := range opts.Config.SupplementalGroups {
+			if val, err := strconv.ParseInt(v, 10, 64); err != nil || val == 0 {
+				return kcmdutil.UsageError(cmd, "invalid group ID %q specified for supplemental group (%v)", v, err)
+			}
+		}
+	}
+	if len(opts.Config.SupplementalGroups) > 0 && len(opts.Config.FSGroup) > 0 {
+		return kcmdutil.UsageError(cmd, "fsGroup and supplemental groups cannot be specified both at the same time")
+	}
+
 	var portsErr error
 	if opts.ports, portsErr = app.ContainerPortsFromString(opts.Config.Ports); portsErr != nil {
 		return portsErr
@@ -356,6 +380,7 @@ func (opts *RegistryOptions) RunCmdRegistry() error {
 				VolumeSource: kapi.VolumeSource{},
 			}),
 			ServiceAccountName: opts.Config.ServiceAccount,
+			SecurityContext:    generateSecurityContext(opts.Config),
 		},
 	}
 	if mountHost {
@@ -544,3 +569,22 @@ func generateSecretsConfig(
 
 	return secrets, volumes, mounts, extraEnv, len(defaultCrt) > 0, nil
 }
+
+func generateSecurityContext(conf *RegistryConfig) *kapi.PodSecurityContext {
+	result := &kapi.PodSecurityContext{}
+	if len(conf.SupplementalGroups) > 0 {
+		result.SupplementalGroups = []int64{}
+		for _, val := range conf.SupplementalGroups {
+			// The errors are handled by Complete()
+			if groupID, err := strconv.ParseInt(val, 10, 64); err == nil {
+				result.SupplementalGroups = append(result.SupplementalGroups, groupID)
+			}
+		}
+	}
+	if len(conf.FSGroup) > 0 {
+		if groupID, err := strconv.ParseInt(conf.FSGroup, 10, 64); err == nil {
+			result.FSGroup = &groupID
+		}
+	}
+	return result
+}