diff --git a/CHANGELOG.md b/CHANGELOG.md
index e447a07f..ebe88a80 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -22,6 +22,10 @@ All notable changes to this project will be documented in this file.
- BREAKING: Inject the vector aggregator address into the vector config using the env var `VECTOR_AGGREGATOR_ADDRESS` instead
of having the operator write it to the vector config ([#671]).
- test: Bump to Vector `0.46.1` ([#677]).
+- BREAKING: Previously this operator would hardcode the UID and GID of the Pods being created to 1000/0, this has changed now ([#683])
+ - The `runAsUser` and `runAsGroup` fields will not be set anymore by the operator
+ - The defaults from the docker images itself will now apply, which will be different from 1000/0 going forward
+ - This is marked as breaking because tools and policies might exist, which require these fields to be set
### Fixed
@@ -39,6 +43,7 @@ All notable changes to this project will be documented in this file.
[#672]: https://github.com/stackabletech/hdfs-operator/pull/672
[#675]: https://github.com/stackabletech/hdfs-operator/pull/675
[#677]: https://github.com/stackabletech/hdfs-operator/pull/677
+[#683]: https://github.com/stackabletech/hdfs-operator/pull/683
## [25.3.0] - 2025-03-21
diff --git a/rust/operator-binary/src/crd/constants.rs b/rust/operator-binary/src/crd/constants.rs
index 7dea151e..6bd010b4 100644
--- a/rust/operator-binary/src/crd/constants.rs
+++ b/rust/operator-binary/src/crd/constants.rs
@@ -82,5 +82,3 @@ pub const DATANODE_ROOT_DATA_DIR_SUFFIX: &str = "/datanode";
pub const LISTENER_VOLUME_NAME: &str = "listener";
pub const LISTENER_VOLUME_DIR: &str = "/stackable/listener";
-
-pub const HDFS_UID: i64 = 1000;
diff --git a/rust/operator-binary/src/hdfs_controller.rs b/rust/operator-binary/src/hdfs_controller.rs
index cb2a39c3..e4cbd515 100644
--- a/rust/operator-binary/src/hdfs_controller.rs
+++ b/rust/operator-binary/src/hdfs_controller.rs
@@ -827,13 +827,7 @@ fn rolegroup_statefulset(
.image_pull_secrets_from_product_image(resolved_product_image)
.affinity(&merged_config.affinity)
.service_account_name(service_account.name_any())
- .security_context(
- PodSecurityContextBuilder::new()
- .run_as_user(HDFS_UID)
- .run_as_group(0)
- .fs_group(1000)
- .build(),
- );
+ .security_context(PodSecurityContextBuilder::new().fs_group(1000).build());
// Adds all containers and volumes to the pod builder
// We must use the selector labels ("rolegroup_selector_labels") and not the recommended labels
diff --git a/tests/templates/kuttl/kerberos/30-access-hdfs.txt.j2 b/tests/templates/kuttl/kerberos/30-access-hdfs.txt.j2
index 19a63060..10b5fcf6 100644
--- a/tests/templates/kuttl/kerberos/30-access-hdfs.txt.j2
+++ b/tests/templates/kuttl/kerberos/30-access-hdfs.txt.j2
@@ -86,6 +86,4 @@ spec:
storage: "1"
securityContext:
fsGroup: 1000
- runAsGroup: 1000
- runAsUser: 1000
restartPolicy: OnFailure
diff --git a/tests/templates/kuttl/kerberos/32-check-file.txt.j2 b/tests/templates/kuttl/kerberos/32-check-file.txt.j2
index 7e0f1d5f..07cfdc2a 100644
--- a/tests/templates/kuttl/kerberos/32-check-file.txt.j2
+++ b/tests/templates/kuttl/kerberos/32-check-file.txt.j2
@@ -58,6 +58,4 @@ spec:
storage: "1"
securityContext:
fsGroup: 1000
- runAsGroup: 1000
- runAsUser: 1000
restartPolicy: OnFailure
diff --git a/tests/templates/kuttl/topology-provider/20-access-hdfs.yaml.j2 b/tests/templates/kuttl/topology-provider/20-access-hdfs.yaml.j2
index 8597feb9..b4a9c565 100644
--- a/tests/templates/kuttl/topology-provider/20-access-hdfs.yaml.j2
+++ b/tests/templates/kuttl/topology-provider/20-access-hdfs.yaml.j2
@@ -64,7 +64,5 @@ commands:
storage: "1"
securityContext:
fsGroup: 1000
- runAsGroup: 1000
- runAsUser: 1000
restartPolicy: OnFailure
EOF