Helm / Kubernetes - Statefulset & Permissions

Question

I keep seeing this error:

Events:
  FirstSeen LastSeen    Count   From        SubObjectPath   Type        Reason      Message
  --------- --------    -----   ----        -------------   --------    ------      -------
  12s       2s      12  {statefulset }          Warning     FailedCreate    create Pod pgset-0 in StatefulSet pgset failed error: pods "pgset-0" is forbidden: unable to validate against any security context constraint: [fsGroup: Invalid value: []int64{26}: 26 is not an allowed group]

I've created a ServiceAccount named "pgset-sa", and granted it the cluster-admin role. I've been researching other ways to get this to work (including editing scc restricted), but keep getting the error from fsGroup stating it's not an allowed group. What am I missing?

apiVersion: apps/v1beta1
kind: StatefulSet
metadata:
  name: "{{.Values.ContainerName}}"
  labels:
    name: "{{.Values.ReplicaName}}"
    app: "{{.Values.ContainerName}}"
    chart: "{{.Chart.Name}}-{{.Chart.Version}}"
  annotations:
    "helm.sh/created": {{.Release.Time.Seconds | quote }}
spec:
  selector:
    matchLabels:
      app: "{{.Values.ContainerName}}"
  serviceName: "{{.Values.ContainerName}}"
  replicas: 2
  template:
    metadata:
      labels:
        app: "{{.Values.ContainerName}}"
    spec:
      serviceAccount: "{{.Values.ContainerServiceAccount}}"
      securityContext:
        fsGroup: 26
      terminationGracePeriodSeconds: 10
      containers:
      - name: {{.Values.ContainerName}}
        image: "{{.Values.PostgresImage}}"
        ports:
        - containerPort: 5432
          name: postgres
        resources:
          requests:
            cpu: {{default "100m" .Values.Cpu}}
            memory: {{default "100M" .Values.Memory}}
        env:
        - name: PGHOST
          value: /tmp
        - name: PG_PRIMARY_USER
          value: primaryuser
        - name: PG_MODE
          value: set
        - name: PG_PRIMARY_HOST
          value: "{{.Values.PrimaryName}}"
        - name: PG_PRIMARY_PORT
          value: "5432"
        - name: PG_PRIMARY_PASSWORD
          value: "{{.Values.PrimaryPassword}}"
        - name: PG_USER
          value: testuser
        - name: PG_PASSWORD
          value: "{{.Values.UserPassword}}"
        - name: PG_DATABASE
          value: userdb
        - name: PG_ROOT_PASSWORD
          value: "{{.Values.RootPassword}}"
        volumeMounts:
        - name: pgdata
          mountPath: "/pgdata"
          readOnly: false
      volumes:
      - name: pgdata
        persistentVolumeClaim:
          claimName: {{.Values.PVCName}}

Answer 1

Take a look at this document titled: Managing Security Context Constraints.

The service account associated with the statefulset must be granted a security context constraint sufficient to allow the pod (one that either allows exactly the fsGroup 26 or allows any fsGroup, in this case).