// owned and writable by FsUser. Otherwise, there is no side effects.
	// Currently only supported with projected service account tokens.
	FsUser              *int64
	FsGroup             *int64
	FSGroupChangePolicy *v1.PodFSGroupChangePolicy
	DesiredSize         *resource.Quantity
	SELinuxLabel        string
}

// Mounter interface provides methods to set up/mount the volume.

	}
	refs, err := m.mounter.GetMountRefs(m.globalPath)
	if mounterArgs.FsGroup != nil {
		if err != nil {
			klog.Errorf("cannot collect mounting information: %s %v", m.globalPath, err)
			return err
		}

		// Only count mounts from other pods
		refs = m.filterPodMounts(refs)
		if len(refs) > 0 {
			fsGroupNew := int64(*mounterArgs.FsGroup)
			_, fsGroupOld, err := m.hostUtil.GetOwner(m.globalPath)
			if err != nil {

      securityContext:
        runAsUser: {{ .Values.securityContext.runAsUser }}
        runAsGroup: {{ .Values.securityContext.runAsGroup }}
        fsGroup: {{ .Values.securityContext.fsGroup }}
        {{- if and (ge .Capabilities.KubeVersion.Major "1") (ge .Capabilities.KubeVersion.Minor "20") }}
        fsGroupChangePolicy: {{ .Values.securityContext.fsGroupChangePolicy }}
        {{- end }}

	// to determine if the volume ownership and permissions
	// should be modified. If a fstype is defined and the volume's access mode
	// contains ReadWriteOnce, then the defined fsGroup will be applied.
	// This mode should be defined if it's expected that the
	// fsGroup may need to be modified depending on the pod's SecurityPolicy.
	// This is the default behavior if no other FSGroupPolicy is defined.

	// to determine if the volume ownership and permissions
	// should be modified. If a fstype is defined and the volume's access mode
	// contains ReadWriteOnce, then the defined fsGroup will be applied.
	// This mode should be defined if it's expected that the
	// fsGroup may need to be modified depending on the pod's SecurityPolicy.
	// This is the default behavior if no other FSGroupPolicy is defined.

            - ALL
          privileged: false
          readOnlyRootFilesystem: false
          runAsGroup: 0
          runAsNonRoot: false
          runAsUser: 0
      securityContext:
        fsGroup: 1234
      volumes:
      - name: workload-socket
      - name: credential-socket
      - name: workload-certs
      - emptyDir:
          medium: Memory
        name: istio-envoy
      - emptyDir: {}

false allowPrivilegeEscala: true allowPrivilegedConta: false allowedCapabilities: [] readOnlyRootFilesyst: false defaultAddCapabiliti: [] requiredDropCapabili: - KILL - MKNOD - SETUID - SETGID fsGroup: type: MustRunAs ranges: - max: {{ .Values.securityContext.fsGroup }} min: {{ .Values.securityContext.fsGroup }} runAsUser: type: MustRunAs uid: {{ .Values.securityContext.runAsUser }} seLinuxContext: type: MustRunAs supplementalGroups: type: RunAsAny volumes: - configMap - downwardAPI - emptyDir - persistentVolumeClai...

false allowPrivilegeEscala: true allowPrivilegedConta: false allowedCapabilities: [] readOnlyRootFilesyst: false defaultAddCapabiliti: [] requiredDropCapabili: - KILL - MKNOD - SETUID - SETGID fsGroup: type: MustRunAs ranges: - max: {{ .Values.securityContext.fsGroup }} min: {{ .Values.securityContext.fsGroup }} runAsUser: type: MustRunAs uid: {{ .Values.securityContext.runAsUser }} seLinuxContext: type: MustRunAs supplementalGroups: type: RunAsAny volumes: - configMap - downwardAPI - emptyDir - persistentVolumeClai...

    spec:
      priorityClassName: system-cluster-critical
      securityContext:
        seccompProfile:
          type: RuntimeDefault
        supplementalGroups: [ 65534 ]
        fsGroup: 65534
      affinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - weight: 100
            podAffinityTerm:
              labelSelector:

  optional SupplementalGroupsStrategyOptions supplementalGroups = 12;

  // fsGroup is the strategy that will dictate what fs group is used by the SecurityContext.
  optional FSGroupStrategyOptions fsGroup = 13;

  // readOnlyRootFilesystem when set to true will force containers to run with a read only root file