fix(operator): support restricted pod security#186
Merged
Conversation
GatewayJ
marked this pull request as ready for review
July 17, 2026 02:55
GatewayJ
force-pushed
the
feat/restricted-pod-security
branch
from
July 18, 2026 17:48
4a57133 to
436192a
Compare
This was referenced Jul 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Type of Change
Related Issues
Fixes #167
Summary of Changes
restricteddefaults for RustFS workloads, with Tenant- and Pool-level Pod/container overrides1.0.0-alpha.*and beta.1 through beta.8 images before an incompatibleRuntimeDefaultrollout, and pin the built-in fallback torustfs/rustfs:1.0.0-beta.10RuntimeDefault; fortag@digest, the digest is authoritativerunAsNonRoot, and every declared UID/GID against the Kubernetes0..=2147483647range before renderingChecklist
make pre-commit(fmt-check + clippy + test + console-lint + console-fmt-check)[Unreleased](if user-visible change)Impact
Verification
Additional Notes
crds/directory. Use the documented server-side apply commands before rolling out the Operator.users[].credsSecret, provisioning, andrustfs.tenantreference-label behavior frommainremains unchanged.metadata.annotations[operator.rustfs.com/runtime-default-image-ack]to equal the exact effective image reference. Prefer an immutable digest.tag@digestreference is evaluated by its digest and may be acknowledged only after that exact digest is verified.runAsNonRoot: trueis rejected. Root workloads do not satisfy restricted namespace admission.make e2e-live-run; all non-live checks pass.CHANGELOG.md.Thank you for your contribution! Please ensure your PR follows the community standards (CODE_OF_CONDUCT.md) and sign the CLA if this is your first contribution.