From ad48f71893a5716fb05abc630f8bc96f0100cac5 Mon Sep 17 00:00:00 2001 From: Lars Francke Date: Tue, 27 May 2025 16:06:00 +0200 Subject: [PATCH] chore: Remove hardcoded uid and gid --- CHANGELOG.md | 5 +++++ rust/operator-binary/src/kafka_controller.rs | 11 +---------- tests/templates/kuttl/kerberos/30-access-kafka.txt.j2 | 2 -- tests/templates/kuttl/tls/31_test-tls-job.yaml.j2 | 2 -- 4 files changed, 6 insertions(+), 14 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 372cc99a..ec758d49 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -23,6 +23,10 @@ All notable changes to this project will be documented in this file. of having the operator write it to the vector config ([#844]). - test: Bump to Vector `0.46.1` ([#855]). - Use versioned common structs ([#861]). +- BREAKING: Previously this operator would hardcode the UID and GID of the Pods being created to 1000/0, this has changed now ([#862]) + - The `runAsUser` and `runAsGroup` fields will not be set anymore by the operator + - The defaults from the docker images itself will now apply, which will be different from 1000/0 going forward + - This is marked as breaking because tools and policies might exist, which require these fields to be set ### Fixed @@ -43,6 +47,7 @@ All notable changes to this project will be documented in this file. [#855]: https://github.com/stackabletech/kafka-operator/pull/855 [#860]: https://github.com/stackabletech/kafka-operator/pull/860 [#861]: https://github.com/stackabletech/kafka-operator/pull/861 +[#862]: https://github.com/stackabletech/kafka-operator/pull/862 ## [25.3.0] - 2025-03-21 diff --git a/rust/operator-binary/src/kafka_controller.rs b/rust/operator-binary/src/kafka_controller.rs index d6087251..8c020db2 100644 --- a/rust/operator-binary/src/kafka_controller.rs +++ b/rust/operator-binary/src/kafka_controller.rs @@ -97,9 +97,6 @@ use crate::{ pub const KAFKA_CONTROLLER_NAME: &str = "kafkacluster"; pub const KAFKA_FULL_CONTROLLER_NAME: &str = concatcp!(KAFKA_CONTROLLER_NAME, '.', OPERATOR_NAME); -/// Used as runAsUser in the pod security context. This is specified in the kafka image file -pub const KAFKA_UID: i64 = 1000; - pub struct Ctx { pub client: stackable_operator::client::Client, pub product_config: ProductConfigManager, @@ -1088,13 +1085,7 @@ fn build_broker_rolegroup_statefulset( ) .context(AddVolumeSnafu)? .service_account_name(service_account.name_any()) - .security_context( - PodSecurityContextBuilder::new() - .run_as_user(KAFKA_UID) - .run_as_group(0) - .fs_group(1000) - .build(), - ); + .security_context(PodSecurityContextBuilder::new().fs_group(1000).build()); // Add vector container after kafka container to keep the defaulting into kafka container if merged_config.logging.enable_vector_agent { diff --git a/tests/templates/kuttl/kerberos/30-access-kafka.txt.j2 b/tests/templates/kuttl/kerberos/30-access-kafka.txt.j2 index 0c51003b..adeb28a4 100644 --- a/tests/templates/kuttl/kerberos/30-access-kafka.txt.j2 +++ b/tests/templates/kuttl/kerberos/30-access-kafka.txt.j2 @@ -66,8 +66,6 @@ spec: volumeMode: Filesystem securityContext: fsGroup: 1000 - runAsGroup: 1000 - runAsUser: 1000 restartPolicy: OnFailure --- apiVersion: v1 diff --git a/tests/templates/kuttl/tls/31_test-tls-job.yaml.j2 b/tests/templates/kuttl/tls/31_test-tls-job.yaml.j2 index bf8cda33..4428f4b5 100644 --- a/tests/templates/kuttl/tls/31_test-tls-job.yaml.j2 +++ b/tests/templates/kuttl/tls/31_test-tls-job.yaml.j2 @@ -90,7 +90,5 @@ spec: storage: "1" securityContext: fsGroup: 1000 - runAsGroup: 1000 - runAsUser: 1000 serviceAccountName: test-sa restartPolicy: OnFailure