diff --git a/CHANGELOG.md b/CHANGELOG.md index e447a07f..ebe88a80 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -22,6 +22,10 @@ All notable changes to this project will be documented in this file. - BREAKING: Inject the vector aggregator address into the vector config using the env var `VECTOR_AGGREGATOR_ADDRESS` instead of having the operator write it to the vector config ([#671]). - test: Bump to Vector `0.46.1` ([#677]). +- BREAKING: Previously this operator would hardcode the UID and GID of the Pods being created to 1000/0, this has changed now ([#683]) + - The `runAsUser` and `runAsGroup` fields will not be set anymore by the operator + - The defaults from the docker images itself will now apply, which will be different from 1000/0 going forward + - This is marked as breaking because tools and policies might exist, which require these fields to be set ### Fixed @@ -39,6 +43,7 @@ All notable changes to this project will be documented in this file. [#672]: https://github.com/stackabletech/hdfs-operator/pull/672 [#675]: https://github.com/stackabletech/hdfs-operator/pull/675 [#677]: https://github.com/stackabletech/hdfs-operator/pull/677 +[#683]: https://github.com/stackabletech/hdfs-operator/pull/683 ## [25.3.0] - 2025-03-21 diff --git a/rust/operator-binary/src/crd/constants.rs b/rust/operator-binary/src/crd/constants.rs index 7dea151e..6bd010b4 100644 --- a/rust/operator-binary/src/crd/constants.rs +++ b/rust/operator-binary/src/crd/constants.rs @@ -82,5 +82,3 @@ pub const DATANODE_ROOT_DATA_DIR_SUFFIX: &str = "/datanode"; pub const LISTENER_VOLUME_NAME: &str = "listener"; pub const LISTENER_VOLUME_DIR: &str = "/stackable/listener"; - -pub const HDFS_UID: i64 = 1000; diff --git a/rust/operator-binary/src/hdfs_controller.rs b/rust/operator-binary/src/hdfs_controller.rs index cb2a39c3..e4cbd515 100644 --- a/rust/operator-binary/src/hdfs_controller.rs +++ b/rust/operator-binary/src/hdfs_controller.rs @@ -827,13 +827,7 @@ fn rolegroup_statefulset( .image_pull_secrets_from_product_image(resolved_product_image) .affinity(&merged_config.affinity) .service_account_name(service_account.name_any()) - .security_context( - PodSecurityContextBuilder::new() - .run_as_user(HDFS_UID) - .run_as_group(0) - .fs_group(1000) - .build(), - ); + .security_context(PodSecurityContextBuilder::new().fs_group(1000).build()); // Adds all containers and volumes to the pod builder // We must use the selector labels ("rolegroup_selector_labels") and not the recommended labels diff --git a/tests/templates/kuttl/kerberos/30-access-hdfs.txt.j2 b/tests/templates/kuttl/kerberos/30-access-hdfs.txt.j2 index 19a63060..10b5fcf6 100644 --- a/tests/templates/kuttl/kerberos/30-access-hdfs.txt.j2 +++ b/tests/templates/kuttl/kerberos/30-access-hdfs.txt.j2 @@ -86,6 +86,4 @@ spec: storage: "1" securityContext: fsGroup: 1000 - runAsGroup: 1000 - runAsUser: 1000 restartPolicy: OnFailure diff --git a/tests/templates/kuttl/kerberos/32-check-file.txt.j2 b/tests/templates/kuttl/kerberos/32-check-file.txt.j2 index 7e0f1d5f..07cfdc2a 100644 --- a/tests/templates/kuttl/kerberos/32-check-file.txt.j2 +++ b/tests/templates/kuttl/kerberos/32-check-file.txt.j2 @@ -58,6 +58,4 @@ spec: storage: "1" securityContext: fsGroup: 1000 - runAsGroup: 1000 - runAsUser: 1000 restartPolicy: OnFailure diff --git a/tests/templates/kuttl/topology-provider/20-access-hdfs.yaml.j2 b/tests/templates/kuttl/topology-provider/20-access-hdfs.yaml.j2 index 8597feb9..b4a9c565 100644 --- a/tests/templates/kuttl/topology-provider/20-access-hdfs.yaml.j2 +++ b/tests/templates/kuttl/topology-provider/20-access-hdfs.yaml.j2 @@ -64,7 +64,5 @@ commands: storage: "1" securityContext: fsGroup: 1000 - runAsGroup: 1000 - runAsUser: 1000 restartPolicy: OnFailure EOF