Skip to content

fix(operator): support restricted pod security#186

Merged
GatewayJ merged 2 commits into
rustfs:mainfrom
GatewayJ:feat/restricted-pod-security
Jul 19, 2026
Merged

fix(operator): support restricted pod security#186
GatewayJ merged 2 commits into
rustfs:mainfrom
GatewayJ:feat/restricted-pod-security

Conversation

@GatewayJ

@GatewayJ GatewayJ commented Jul 16, 2026

Copy link
Copy Markdown
Member

Type of Change

  • New Feature
  • Bug Fix
  • Documentation
  • Performance Improvement
  • Test/CI
  • Refactor
  • Other:

Related Issues

Fixes #167

Summary of Changes

  • render Kubernetes Pod Security Standards restricted defaults for RustFS workloads, with Tenant- and Pool-level Pod/container overrides
  • block non-digest official RustFS 1.0.0-alpha.* and beta.1 through beta.8 images before an incompatible RuntimeDefault rollout, and pin the built-in fallback to rustfs/rustfs:1.0.0-beta.10
  • require an exact image-bound Tenant acknowledgement for custom repositories, mutable tags, and digest-qualified references under RuntimeDefault; for tag@digest, the digest is authoritative
  • validate seccomp/AppArmor shapes, effective UID 0 plus runAsNonRoot, and every declared UID/GID against the Kubernetes 0..=2147483647 range before rendering
  • validate the complete Tenant request before creating a Namespace or writing the Tenant, and make Namespace creation race-safe
  • preserve complete Tenant YAML in Console create/update flows and validate image plus acknowledgement changes atomically
  • regenerate Tenant CRDs and update Helm guidance, English/Chinese user guides, examples, Console guidance, and non-live E2E coverage

Checklist

  • I have read and followed the CONTRIBUTING.md guidelines
  • Passed make pre-commit (fmt-check + clippy + test + console-lint + console-fmt-check)
  • Added/updated necessary tests
  • Documentation updated (if needed)
  • CHANGELOG.md updated under [Unreleased] (if user-visible change)
  • CI/CD passed (if applicable)

Impact

  • Breaking change (CRD/API compatibility)
  • Requires doc/config/deployment update
  • Other impact: Apply the updated Tenant CRD before upgrading. Compatible existing workloads roll to the restricted defaults on reconciliation; incompatible images are blocked before the StatefulSet update, leaving existing Pods running until configuration is corrected.

Verification

make pre-commit

Additional Notes

  • This PR is intentionally limited to restricted workload security. It does not replace Secret/ConfigMap reference reconciliation and does not change the generic Console JSON or encryption contracts.
  • Independent follow-ups split from the earlier combined diff are fix(controller): index shared tenant references #189 (Controller reference indexing) and fix(console): enforce JSON request contracts #190 (Console JSON contracts); neither is required by this fix.
  • Follow-up fix(console): enforce JSON request contracts #190 will standardize JSON rejection envelopes for all Console write routes, including the new Tenant YAML creation endpoint, after rebasing onto the main branch that contains this PR.
  • Helm does not upgrade CRDs from the chart crds/ directory. Use the documented server-side apply commands before rolling out the Operator.
  • Existing users[].credsSecret, provisioning, and rustfs.tenant reference-label behavior from main remains unchanged.
  • Official beta.9-or-later release tags work automatically. Custom, mutable, and digest-qualified images require metadata.annotations[operator.rustfs.com/runtime-default-image-ack] to equal the exact effective image reference. Prefer an immutable digest.
  • A non-digest official alpha or beta.1 through beta.8 reference cannot be acknowledged. A tag@digest reference is evaluated by its digest and may be acknowledged only after that exact digest is verified.
  • Explicit root execution remains available for legacy workloads, but contradictory UID 0 plus runAsNonRoot: true is rejected. Root workloads do not satisfy restricted namespace admission.
  • This change does not delete StatefulSets or PVCs and does not migrate the RustFS on-disk format. Schedule the workload rollout in a maintenance window and follow normal backup procedures.
  • Live Kubernetes tests remain opt-in through make e2e-live-run; all non-live checks pass.
  • The repository does not currently contain a CHANGELOG.md.

Thank you for your contribution! Please ensure your PR follows the community standards (CODE_OF_CONDUCT.md) and sign the CLA if this is your first contribution.

@GatewayJ
GatewayJ marked this pull request as ready for review July 17, 2026 02:55
@GatewayJ
GatewayJ added this pull request to the merge queue Jul 19, 2026
Merged via the queue into rustfs:main with commit e9d0a51 Jul 19, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Tenant Operator-generated StatefulSet cannot satisfy PodSecurity "restricted" — CRD does not expose container-level securityContext

1 participant