Apply correct pod security context to rebase pod for openshift

pkg/apis/build/v1alpha2/build_pod.go

@@ -61,6 +61,8 @@ const (
 	TerminationMessagePathEnvVar = "TERMINATION_MESSAGE_PATH"
 
 	PlatformEnvVarPrefix = "PLATFORM_ENV_"
+	cnbUid               = 1000
+	cnbGid               = 1000
 )
 
 type ServiceBinding interface {
@@ -667,6 +669,10 @@ func boolPointer(b bool) *bool {
 	return &b
 }
 
+func int64Pointer(i int64) *int64 {
+	return &i
+}
+
 func containerSecurityContext(config BuildPodBuilderConfig) *corev1.SecurityContext {
 	if config.OS == "windows" {
 		return nil
@@ -814,6 +820,9 @@ func (b *Build) rebasePod(buildContext BuildContext, images BuildPodImages) (*co
 			PriorityClassName:  b.PriorityClassName(),
 			SecurityContext: &corev1.PodSecurityContext{
 				RunAsNonRoot:   boolPointer(true),
+				RunAsGroup:     int64Pointer(cnbGid),
+				RunAsUser:      int64Pointer(cnbUid),
+				FSGroup:        int64Pointer(cnbGid),
 				SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault},
 			},
 			Volumes: volumes(

pkg/apis/build/v1alpha2/build_pod_test.go

@@ -1414,6 +1414,7 @@ func testBuildPod(t *testing.T, when spec.G, it spec.S) {
 			})
 
 			it("creates a pod just to rebase", func() {
+				id := int64(1000)
 				pod, err := build.BuildPod(config, buildContext)
 				require.NoError(t, err)
 
@@ -1435,7 +1436,13 @@ func testBuildPod(t *testing.T, when spec.G, it spec.S) {
 						*kmeta.NewControllerRef(build),
 					},
 				})
-
+				require.Equal(t, &corev1.PodSecurityContext{
+					RunAsUser:      &id,
+					RunAsGroup:     &id,
+					RunAsNonRoot:   boolPointer(true),
+					FSGroup:        &id,
+					SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault},
+				}, pod.Spec.SecurityContext)
 				require.Equal(t, build.Spec.ServiceAccountName, pod.Spec.ServiceAccountName)
 				require.Equal(t, build.Spec.Tolerations, pod.Spec.Tolerations)
 				require.Equal(t, build.Spec.Affinity, pod.Spec.Affinity)