[tempo-distributed] MinIO not affected by tempo.podSecurityContext or tempo.securityContext

[sejbot]

I am deploying the tempo-distributed helm chart in my kubernets cluster version 1.27.6. I have configured tempo podSecurityPolicy like so:

tempo:
  podSecurityContext:
    fsGroup: 1000
    seccompProfile:
      type: RuntimeDefault

When deployed, MinIO pods won't start with error message: pods "grafana-tempo-minio-668b669f7-6xhdc" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "minio" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "minio" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "minio" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "minio" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

Inspecting the generated MinIO deployment manifest I can indeed see that spec.securityContext does not match my configuration in tempo.podSecurityContext. However, the other components like compactor, distributor, ingester etc. have the correct spec.securityContext

Also, the MinIO manifest misses the spec.containers[].securityContext section. The other component have the default values from the helm chart but MinIO completely misses it.