PodSecurityPolicy: avoid unnecessary mutation of supplemental groups

pkg/security/podsecuritypolicy/group/runasany.go

@@ -34,7 +34,7 @@ func NewRunAsAny() (GroupStrategy, error) {
 
 // Generate creates the group based on policy rules.  This strategy returns an empty slice.
 func (s *runAsAny) Generate(pod *api.Pod) ([]int64, error) {
-	return []int64{}, nil
+	return nil, nil
 }
 
 // Generate a single value to be applied.  This is used for FSGroup.  This strategy returns nil.

pkg/security/podsecuritypolicy/provider.go

@@ -80,7 +80,7 @@ func (s *simpleProvider) CreatePodSecurityContext(pod *api.Pod) (*api.PodSecurit
 	}
 	annotations := maps.CopySS(pod.Annotations)
 
-	if len(sc.SupplementalGroups) == 0 {
+	if sc.SupplementalGroups == nil {
 		supGroups, err := s.strategies.SupplementalGroupStrategy.Generate(pod)
 		if err != nil {
 			return nil, nil, err

plugin/pkg/admission/security/podsecuritypolicy/admission_test.go

@@ -993,7 +993,7 @@ func TestAdmitSupplementalGroups(t *testing.T) {
 			pod:               goodPod(),
 			psps:              []*extensions.PodSecurityPolicy{runAsAny},
 			shouldPass:        true,
-			expectedSupGroups: []int64{},
+			expectedSupGroups: nil,
 			expectedPSP:       runAsAny.Name,
 		},
 		"runAsAny pod request": {