From 8e27a9958a52b8d6a818e1d6695b7fdb6af17a71 Mon Sep 17 00:00:00 2001 From: Sebastian Bernauer Date: Tue, 28 Apr 2026 13:17:14 +0200 Subject: [PATCH] feat!: Add `PodSecurityContextBuilder::with_stackable_defaults` --- crates/stackable-operator/CHANGELOG.md | 7 ++++ .../src/builder/pod/security.rs | 42 +++++++++++++++---- 2 files changed, 42 insertions(+), 7 deletions(-) diff --git a/crates/stackable-operator/CHANGELOG.md b/crates/stackable-operator/CHANGELOG.md index 28a1071b3..5503f1a3c 100644 --- a/crates/stackable-operator/CHANGELOG.md +++ b/crates/stackable-operator/CHANGELOG.md @@ -4,6 +4,13 @@ All notable changes to this project will be documented in this file. ## [Unreleased] +### Changed + +- BREAKING: `PodSecurityContextBuilder::new` was removed in favor of `PodSecurityContextBuilder::with_stackable_defaults`. + This function already sets up some defaults we want to use across the platform. +- BREAKING: `PodSecurityContextBuilder::run_as_non_root` now takes a `bool` instead of assuming consumers always want to set it to `true`. + This is needed to allow users setting it to `false` in case the new `with_stackable_defaults` functions set's it to `true`. + ## [0.111.1] - 2026-04-28 ### Added diff --git a/crates/stackable-operator/src/builder/pod/security.rs b/crates/stackable-operator/src/builder/pod/security.rs index 6a64ebb97..675e31b9e 100644 --- a/crates/stackable-operator/src/builder/pod/security.rs +++ b/crates/stackable-operator/src/builder/pod/security.rs @@ -144,14 +144,42 @@ impl SecurityContextBuilder { } } -#[derive(Clone, Default)] +/// A builder to construct a [`PodSecurityContext`]. +/// +/// # Basic usage +/// +/// ``` +/// use stackable_operator::builder::pod::security::PodSecurityContextBuilder; +/// +/// let _ = PodSecurityContextBuilder::with_stackable_defaults() +/// // Configure any arbitrary fields +/// .run_as_user(1234) +/// .build(); +/// ``` +#[derive(Clone, Debug)] pub struct PodSecurityContextBuilder { pod_security_context: PodSecurityContext, } impl PodSecurityContextBuilder { - pub fn new() -> Self { - Self::default() + /// Construct a new [`PodSecurityContextBuilder`] that is pre-filled with Stackable's defaults. + pub fn with_stackable_defaults() -> Self { + Self { + pod_security_context: Self::stackable_default_pod_security_context(), + } + } + + /// The Stackable's defaults for a [`PodSecurityContext`]. + /// + /// It is recommended to use the [`PodSecurityContextBuilder::with_stackable_defaults`] instead + /// (if possible). + pub fn stackable_default_pod_security_context() -> PodSecurityContext { + todo!("Lars needs to define the exact settings he wants"); + + PodSecurityContext { + run_as_non_root: Some(true), + ..Default::default() + } } pub fn build(&self) -> PodSecurityContext { @@ -173,8 +201,8 @@ impl PodSecurityContextBuilder { self } - pub fn run_as_non_root(&mut self) -> &mut Self { - self.pod_security_context.run_as_non_root = Some(true); + pub fn run_as_non_root(&mut self, non_root: bool) -> &mut Self { + self.pod_security_context.run_as_non_root = Some(non_root); self } @@ -381,13 +409,13 @@ mod tests { #[test] fn security_context_builder() { - let mut builder = PodSecurityContextBuilder::new(); + let mut builder = PodSecurityContextBuilder::with_stackable_defaults(); let context = builder .fs_group(1000) .fs_group_change_policy("policy") .run_as_user(1001) .run_as_group(1001) - .run_as_non_root() + .run_as_non_root(true) .supplemental_groups(&[1002, 1003]) .se_linux_level("level") .se_linux_role("role")