Add PodSecurityContext fields to user-guide-v1

Author: kabicin

doc/user-guide-v1.adoc

@@ -106,11 +106,13 @@ Each `RuntimeComponent` CR must at least specify the `.spec.applicationImage` fi
 | `route.path`   | Path to be used for the `Route`.
 | `route.pathType`   | Path type to be used. Required field for Ingress. See link:++https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types++[Ingress path types].
 | `route.termination`   | TLS termination policy. Can be one of `edge`, `reencrypt` and `passthrough`.
-| `securityContext`  | A security context to control privilege and permission settings for the application container. For examples, see link:++https://github.com/OpenLiberty/open-liberty-operator/blob/main/doc/user-guide-v1.adoc#set-privileges-and-permissions-for-a-pod-or-container++[Set privileges and permissions for a pod or container]. If set, the fields of `SecurityContext` override the equivalent fields of `PodSecurityContext`. For examples, see link:++https://kubernetes.io/docs/tasks/configure-pod-container/security-context/++[Configure a Security Context for a Pod or Container].
+| `securityContext`  | A security context to control privilege and permission settings for the application pod and container. For examples, see link:++https://github.com/OpenLiberty/open-liberty-operator/blob/main/doc/user-guide-v1.adoc#set-privileges-and-permissions-for-a-pod-or-container++[Set privileges and permissions for a pod or container]. If set, the fields of `SecurityContext` override the equivalent fields of `PodSecurityContext`. For examples, see link:++https://kubernetes.io/docs/tasks/configure-pod-container/security-context/++[Configure a Security Context for a Pod or Container].
 | `securityContext.allowPrivilegeEscalation` | A Boolean that controls whether a process can gain more privileges than its parent process. This Boolean controls whether the `no_new_privs` flag is set on the container process. `AllowPrivilegeEscalation` is `true` always when the container is run as `Privileged` and has `CAP_SYS_ADMIN`.
 | `securityContext.capabilities` | The capabilities to add or drop when containers are run. Defaults to the default set of capabilities that the container runtime grants.
 | `securityContext.capabilities.add` | An array of added capabilities of POSIX capabilities type.
 | `securityContext.capabilities.drop` | An array of removed capabilities of POSIX capabilities type.
+| `securityContext.fsGroup` | A supplemental group that applies to all containers in a pod. For some volume types, the Kubelet may change ownership of that volume to be owned by the pod. In this case, the owning GID will be set to the FSGroup, the setgid bit is set so that new files created in the volume will be owned by FSGroup, and the permission bits are OR'd with `rw-rw----`. If unset, the Kubelet will not modify the ownership and permissions of any volume.
+| `securityContext.fsGroupChangePolicy` | For volume types supporting fsGroup, this field defines when ownership and permission of the volume should be modified before being exposed inside the Pod. The field has no effect on ephemeral volumes such as Secret, ConfigMaps and EmptyDir. Valid values are `OnRootMismatch` and `Always`.
 | `securityContext.privileged` | A Boolean to specify whether to run a container in privileged mode. Processes in privileged containers are equivalent to root on the host. The default is `false`.
 | `securityContext.procMount` | The type of proc mount to use for the containers. The default is `DefaultProcMount`, which uses the container runtime defaults for read-only paths and masked paths. To use `procMount`, the `ProcMountType` feature flag must be enabled.
 | `securityContext.readOnlyRootFilesystem` | A Boolean to specify whether this container has a read-only root file system. The default is `false`.
@@ -121,6 +123,8 @@ Each `RuntimeComponent` CR must at least specify the `.spec.applicationImage` fi
 | `securityContext.seccompProfile` | The `seccomp` options to use by this container. If `seccomp` options are set at both the pod and container level, the container options override the pod options.
 | `securityContext.seccompProfile.localhostProfile` | A profile that is defined in a file on the node. The profile must be preconfigured on the node to work. Specify a descending path, relative to the kubelet configured `seccomp` profile location. Only set `localhostProfile` if `type` is `Localhost`.
 | `securityContext.seccompProfile.type` | (Required) The kind of `seccomp` profile to use. Valid options are `Localhost` (use a profile that is defined in a file on the node), `RuntimeDefault` (use the container runtime default profile), and `Unconfined` (use no profile).
+| `securityContext.supplementalGroups` | A list of groups applied to the first process run in each container, in addition to the container's primary GID. If unspecified, no groups will be added to any container.
+| `securityContext.sysctls` | A list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch.
 | `securityContext.windowsOptions` | The Windows specific settings to apply to all containers. If unset, the options from the `PodSecurityContext` are used. If set in both `SecurityContext` and `PodSecurityContext`, the `SecurityContext` value takes precedence. The `windowsOptions` properties include `gmsaCredentialSpec`, `gmsaCredentialSpecName`, `hostProcess`, and `runAsUserName`.
 | `service` | Configures parameters for the network service of pods. For an example, see link:++https://github.com/OpenLiberty/open-liberty-operator/blob/main/doc/user-guide-v1.adoc#specify-multiple-service-ports++[Specify multiple service ports].
 | `service.annotations` | Annotations to be added to the service.