feat!: Add (Pod)SecurityContextBuilder::with_stackable_defaults

crates/stackable-operator/CHANGELOG.md

@@ -4,6 +4,18 @@ All notable changes to this project will be documented in this file.
 
 ## [Unreleased]
 
+### Changed
+
+- BREAKING: `PodSecurityContextBuilder::new` was removed in favor of `PodSecurityContextBuilder::with_stackable_defaults`
+  (same for `SecurityContextBuilder`) ([#1205]).
+  This function already sets up some defaults we want to use across the platform.
+  Currently this is `runAsNonRoot: true`, which might cause product Pods to crash and require changes.
+- BREAKING: `PodSecurityContextBuilder::run_as_non_root` now takes a `bool` instead of assuming consumers always want to set it to `true` ([#1205]).
+  This is needed to allow users setting it to `false` in case the new `with_stackable_defaults` function sets it to `true`.
+- BREAKING: `SecurityContextBuilder::run_as_root` is now called on the builder, not as a builder-creation function ([#1205]).
+
+[#1205]: https://github.com/stackabletech/operator-rs/pull/1205
+
 ## [0.113.0] - 2026-06-22
 
 ### Added

crates/stackable-operator/src/builder/pod/security.rs

@@ -10,16 +10,29 @@ pub struct SecurityContextBuilder {
 }
 
 impl SecurityContextBuilder {
-    /// Convenience function for a wide use-case.
-    pub fn run_as_root() -> SecurityContext {
-        SecurityContext {
-            run_as_user: Some(0),
-            ..SecurityContext::default()
-        }
+    /// Construct a new [`SecurityContextBuilder`] that is pre-filled with Stackable's defaults.
+    ///
+    /// Currently the defaults are:
+    ///
+    /// * `runAsNonRoot: true`
+    pub fn with_stackable_defaults() -> Self {
+        // We are using the builder functions to ensure that builder functions exist to override these settings.
+        let mut builder = Self {
+            security_context: SecurityContext::default(),
+        };
+
+        // Reason: Running as root is bad
+        builder.run_as_non_root(true);
+
+        builder
     }
 
-    pub fn new() -> Self {
-        Self::default()
+    /// Convenience function for a wide use-case.
+    ///
+    /// Please only use this is really needed.
+    pub fn run_as_root(&mut self) {
+        self.run_as_user(0);
+        self.run_as_non_root(false);
     }
 
     pub fn allow_privilege_escalation(&mut self, value: bool) -> &mut Self {
@@ -144,14 +157,39 @@ impl SecurityContextBuilder {
     }
 }
 
-#[derive(Clone, Default)]
+/// A builder to construct a [`PodSecurityContext`].
+///
+/// # Basic usage
+///
+/// ```
+/// use stackable_operator::builder::pod::security::PodSecurityContextBuilder;
+///
+/// let _ = PodSecurityContextBuilder::with_stackable_defaults()
+///     // Configure any arbitrary fields
+///     .run_as_user(1234)
+///     .build();
+/// ```
+#[derive(Clone, Debug)]
 pub struct PodSecurityContextBuilder {
     pod_security_context: PodSecurityContext,
 }
 
 impl PodSecurityContextBuilder {
-    pub fn new() -> Self {
-        Self::default()
+    /// Construct a new [`PodSecurityContextBuilder`] that is pre-filled with Stackable's defaults.
+    ///
+    /// Currently the defaults are:
+    ///
+    /// * `runAsNonRoot: true`
+    pub fn with_stackable_defaults() -> Self {
+        // We are using the builder functions to ensure that builder functions exist to override these settings.
+        let mut builder = Self {
+            pod_security_context: PodSecurityContext::default(),
+        };
+
+        // Reason: Running as root is bad
+        builder.run_as_non_root(true);
+
+        builder
     }
 
     pub fn build(&self) -> PodSecurityContext {
@@ -173,8 +211,8 @@ impl PodSecurityContextBuilder {
         self
     }
 
-    pub fn run_as_non_root(&mut self) -> &mut Self {
-        self.pod_security_context.run_as_non_root = Some(true);
+    pub fn run_as_non_root(&mut self, non_root: bool) -> &mut Self {
+        self.pod_security_context.run_as_non_root = Some(non_root);
         self
     }
 
@@ -381,13 +419,13 @@ mod tests {
 
     #[test]
     fn security_context_builder() {
-        let mut builder = PodSecurityContextBuilder::new();
+        let mut builder = PodSecurityContextBuilder::with_stackable_defaults();
         let context = builder
             .fs_group(1000)
             .fs_group_change_policy("policy")
             .run_as_user(1001)
             .run_as_group(1001)
-            .run_as_non_root()
+            .run_as_non_root(true)
             .supplemental_groups(&[1002, 1003])
             .se_linux_level("level")
             .se_linux_role("role")