chore: Remove hardcoded uid and gid (#862)

lfrancke · web-flow · commit d2bdfb5e6d04 · 2025-05-27T14:31:02.000Z
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -23,6 +23,10 @@ All notable changes to this project will be documented in this file.
     of having the operator write it to the vector config ([#844]).
 - test: Bump to Vector `0.46.1` ([#855]).
 - Use versioned common structs ([#861]).
+- BREAKING: Previously this operator would hardcode the UID and GID of the Pods being created to 1000/0, this has changed now ([#862])
+  - The `runAsUser` and `runAsGroup` fields will not be set anymore by the operator
+  - The defaults from the docker images itself will now apply, which will be different from 1000/0 going forward
+  - This is marked as breaking because tools and policies might exist, which require these fields to be set
 
 ### Fixed
 
@@ -43,6 +47,7 @@ All notable changes to this project will be documented in this file.
 [#855]: https://github.com/stackabletech/kafka-operator/pull/855
 [#860]: https://github.com/stackabletech/kafka-operator/pull/860
 [#861]: https://github.com/stackabletech/kafka-operator/pull/861
+[#862]: https://github.com/stackabletech/kafka-operator/pull/862
 
 ## [25.3.0] - 2025-03-21
 
diff --git a/rust/operator-binary/src/kafka_controller.rs b/rust/operator-binary/src/kafka_controller.rs
@@ -97,9 +97,6 @@ use crate::{
 pub const KAFKA_CONTROLLER_NAME: &str = "kafkacluster";
 pub const KAFKA_FULL_CONTROLLER_NAME: &str = concatcp!(KAFKA_CONTROLLER_NAME, '.', OPERATOR_NAME);
 
-/// Used as runAsUser in the pod security context. This is specified in the kafka image file
-pub const KAFKA_UID: i64 = 1000;
-
 pub struct Ctx {
     pub client: stackable_operator::client::Client,
     pub product_config: ProductConfigManager,
@@ -1088,13 +1085,7 @@ fn build_broker_rolegroup_statefulset(
         )
         .context(AddVolumeSnafu)?
         .service_account_name(service_account.name_any())
-        .security_context(
-            PodSecurityContextBuilder::new()
-                .run_as_user(KAFKA_UID)
-                .run_as_group(0)
-                .fs_group(1000)
-                .build(),
-        );
+        .security_context(PodSecurityContextBuilder::new().fs_group(1000).build());
 
     // Add vector container after kafka container to keep the defaulting into kafka container
     if merged_config.logging.enable_vector_agent {
diff --git a/tests/templates/kuttl/kerberos/30-access-kafka.txt.j2 b/tests/templates/kuttl/kerberos/30-access-kafka.txt.j2
@@ -66,8 +66,6 @@ spec:
                 volumeMode: Filesystem
       securityContext:
         fsGroup: 1000
-        runAsGroup: 1000
-        runAsUser: 1000
       restartPolicy: OnFailure
 ---
 apiVersion: v1
diff --git a/tests/templates/kuttl/tls/31_test-tls-job.yaml.j2 b/tests/templates/kuttl/tls/31_test-tls-job.yaml.j2
@@ -90,7 +90,5 @@ spec:
                     storage: "1"
       securityContext:
         fsGroup: 1000
-        runAsGroup: 1000
-        runAsUser: 1000
       serviceAccountName: test-sa
       restartPolicy: OnFailure
