diff --git a/CHANGELOG.md b/CHANGELOG.md index cfe8c785..9ebf5021 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -22,6 +22,10 @@ All notable changes to this project will be documented in this file. - BREAKING: Inject the vector aggregator address into the vector config using the env var `VECTOR_AGGREGATOR_ADDRESS` instead of having the operator write it to the vector config ([#589]). - test: Bump to Vector `0.46.1` ([#599]). +- BREAKING: Previously this operator would hardcode the UID and GID of the Pods being created to 1000/0, this has changed now ([#603]) + - The `runAsUser` and `runAsGroup` fields will not be set anymore by the operator + - The defaults from the docker images itself will now apply, which will be different from 1000/0 going forward + - This is marked as breaking because tools and policies might exist, which require these fields to be set ### Fixed @@ -34,6 +38,7 @@ All notable changes to this project will be documented in this file. [#592]: https://github.com/stackabletech/hive-operator/pull/592 [#596]: https://github.com/stackabletech/hive-operator/pull/596 [#599]: https://github.com/stackabletech/hive-operator/pull/599 +[#603]: https://github.com/stackabletech/hive-operator/pull/603 ## [25.3.0] - 2025-03-21 diff --git a/rust/operator-binary/src/controller.rs b/rust/operator-binary/src/controller.rs index d6f9160c..8f26bbb5 100644 --- a/rust/operator-binary/src/controller.rs +++ b/rust/operator-binary/src/controller.rs @@ -100,8 +100,6 @@ use crate::{ pub const HIVE_CONTROLLER_NAME: &str = "hivecluster"; pub const HIVE_FULL_CONTROLLER_NAME: &str = concatcp!(HIVE_CONTROLLER_NAME, '.', OPERATOR_NAME); -/// Used as runAsUser in the pod security context -pub const HIVE_UID: i64 = 1000; const DOCKER_IMAGE_BASE_NAME: &str = "hive"; pub const MAX_HIVE_LOG_FILES_SIZE: MemoryQuantity = MemoryQuantity { @@ -986,13 +984,7 @@ fn build_metastore_rolegroup_statefulset( .context(AddVolumeSnafu)? .affinity(&merged_config.affinity) .service_account_name(sa_name) - .security_context( - PodSecurityContextBuilder::new() - .run_as_user(HIVE_UID) - .run_as_group(0) - .fs_group(1000) - .build(), - ); + .security_context(PodSecurityContextBuilder::new().fs_group(1000).build()); if let Some(ContainerLogConfig { choice: diff --git a/tests/templates/kuttl/kerberos-hdfs/35-access-hdfs.yaml.j2 b/tests/templates/kuttl/kerberos-hdfs/35-access-hdfs.yaml.j2 index 23114c54..a4dd59ac 100644 --- a/tests/templates/kuttl/kerberos-hdfs/35-access-hdfs.yaml.j2 +++ b/tests/templates/kuttl/kerberos-hdfs/35-access-hdfs.yaml.j2 @@ -65,7 +65,5 @@ commands: storage: "1" securityContext: fsGroup: 1000 - runAsGroup: 1000 - runAsUser: 1000 restartPolicy: OnFailure EOF diff --git a/tests/templates/kuttl/kerberos-hdfs/70-install-access-hive.yaml.j2 b/tests/templates/kuttl/kerberos-hdfs/70-install-access-hive.yaml.j2 index beed5948..0c6c0647 100644 --- a/tests/templates/kuttl/kerberos-hdfs/70-install-access-hive.yaml.j2 +++ b/tests/templates/kuttl/kerberos-hdfs/70-install-access-hive.yaml.j2 @@ -55,8 +55,6 @@ commands: storage: "1" securityContext: fsGroup: 1000 - runAsGroup: 1000 - runAsUser: 1000 restartPolicy: OnFailure EOF --- diff --git a/tests/templates/kuttl/kerberos-s3/70-install-access-hive.yaml.j2 b/tests/templates/kuttl/kerberos-s3/70-install-access-hive.yaml.j2 index b6654c4e..371f4b4e 100644 --- a/tests/templates/kuttl/kerberos-s3/70-install-access-hive.yaml.j2 +++ b/tests/templates/kuttl/kerberos-s3/70-install-access-hive.yaml.j2 @@ -55,8 +55,6 @@ commands: storage: "1" securityContext: fsGroup: 1000 - runAsGroup: 1000 - runAsUser: 1000 restartPolicy: OnFailure EOF ---