FSGroup implementation

plugin/pkg/admission/securitycontext/scdeny/admission.go

@@ -69,6 +69,10 @@ func (p *plugin) Admit(a admission.Attributes) (err error) {
 		}
 	}
 
+	if pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.FSGroup != nil {
+		return apierrors.NewForbidden(a.GetResource(), pod.Name, fmt.Errorf("SecurityContext.FSGroup is forbidden"))
+	}
+
 	for _, v := range pod.Spec.Containers {
 		if v.SecurityContext != nil {
 			if v.SecurityContext.SELinuxOptions != nil {

plugin/pkg/admission/securitycontext/scdeny/admission_test.go

@@ -101,6 +101,8 @@ func TestPodSecurityContextAdmission(t *testing.T) {
 		},
 	}
 
+	fsGroup := int64(1001)
+
 	tests := []struct {
 		securityContext api.PodSecurityContext
 		errorExpected   bool
@@ -115,6 +117,12 @@ func TestPodSecurityContextAdmission(t *testing.T) {
 			},
 			errorExpected: true,
 		},
+		{
+			securityContext: api.PodSecurityContext{
+				FSGroup: &fsGroup,
+			},
+			errorExpected: true,
+		},
 	}
 	for _, test := range tests {
 		pod.Spec.SecurityContext = &test.securityContext