fsGroup can only be set on the pod level itself however there are ways to control and mutate pods created by the apiserver.

You could have a mutating webhook which adds/modifies the fsGroup field for all pods created in a particular namespace: https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/

You could also use OPA which provides a configurable dynamic admission controller where you just define the policy for it to enact: https://www.openpolicyagent.org/docs/v0.12.2/kubernetes-admission-control/