From 22115d864486ca124c7dbc21df5d9024c1d8f4ee Mon Sep 17 00:00:00 2001 From: Paul Yu Date: Fri, 14 Nov 2025 09:49:45 -0800 Subject: [PATCH 1/4] resolves #632 removed SYS_PTRACE and alphabetized list of capabilities to add for easier cross-referencing with Pod Security Standards --- pkg/fixtures/deployments/helm/charts/values.yaml | 8 +++----- .../base/deployment-override-workload-identity.yaml | 8 +++----- pkg/fixtures/deployments/kustomize/base/deployment.yaml | 8 +++----- .../manifests/deployment-override-workload-identity.yaml | 8 +++----- .../deployments/manifest/manifests/deployment.yaml | 8 +++----- template/deployments/helm/charts/values.yaml | 8 +++----- template/deployments/kustomize/base/deployment.yaml | 8 +++----- template/deployments/manifests/manifests/deployment.yaml | 8 +++----- 8 files changed, 24 insertions(+), 40 deletions(-) diff --git a/pkg/fixtures/deployments/helm/charts/values.yaml b/pkg/fixtures/deployments/helm/charts/values.yaml index 0fdcf0287..c22651879 100644 --- a/pkg/fixtures/deployments/helm/charts/values.yaml +++ b/pkg/fixtures/deployments/helm/charts/values.yaml @@ -93,20 +93,18 @@ securityContext: drop: - ALL add: - - SETPCAP - - MKNOD - AUDIT_WRITE - CHOWN - DAC_OVERRIDE - FOWNER - FSETID - KILL + - MKNOD + - NET_BIND_SERVICE + - SETPCAP - SETGID - SETUID - - NET_BIND_SERVICE - SYS_CHROOT - - SETFCAP - - SYS_PTRACE envVars: diff --git a/pkg/fixtures/deployments/kustomize/base/deployment-override-workload-identity.yaml b/pkg/fixtures/deployments/kustomize/base/deployment-override-workload-identity.yaml index 32f183c9c..7e71af8b5 100644 --- a/pkg/fixtures/deployments/kustomize/base/deployment-override-workload-identity.yaml +++ b/pkg/fixtures/deployments/kustomize/base/deployment-override-workload-identity.yaml @@ -63,20 +63,18 @@ spec: drop: - ALL add: - - SETPCAP - - MKNOD - AUDIT_WRITE - CHOWN - DAC_OVERRIDE - FOWNER - FSETID - KILL + - MKNOD + - NET_BIND_SERVICE + - SETPCAP - SETGID - SETUID - - NET_BIND_SERVICE - SYS_CHROOT - - SETFCAP - - SYS_PTRACE affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: diff --git a/pkg/fixtures/deployments/kustomize/base/deployment.yaml b/pkg/fixtures/deployments/kustomize/base/deployment.yaml index afcc0b950..2f60640ee 100644 --- a/pkg/fixtures/deployments/kustomize/base/deployment.yaml +++ b/pkg/fixtures/deployments/kustomize/base/deployment.yaml @@ -61,20 +61,18 @@ spec: drop: - ALL add: - - SETPCAP - - MKNOD - AUDIT_WRITE - CHOWN - DAC_OVERRIDE - FOWNER - FSETID - KILL + - MKNOD + - NET_BIND_SERVICE + - SETPCAP - SETGID - SETUID - - NET_BIND_SERVICE - SYS_CHROOT - - SETFCAP - - SYS_PTRACE affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: diff --git a/pkg/fixtures/deployments/manifest/manifests/deployment-override-workload-identity.yaml b/pkg/fixtures/deployments/manifest/manifests/deployment-override-workload-identity.yaml index 0e432e49a..d84ddaaf3 100755 --- a/pkg/fixtures/deployments/manifest/manifests/deployment-override-workload-identity.yaml +++ b/pkg/fixtures/deployments/manifest/manifests/deployment-override-workload-identity.yaml @@ -63,20 +63,18 @@ spec: drop: - ALL add: - - SETPCAP - - MKNOD - AUDIT_WRITE - CHOWN - DAC_OVERRIDE - FOWNER - FSETID - KILL + - MKNOD + - NET_BIND_SERVICE + - SETPCAP - SETGID - SETUID - - NET_BIND_SERVICE - SYS_CHROOT - - SETFCAP - - SYS_PTRACE affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: diff --git a/pkg/fixtures/deployments/manifest/manifests/deployment.yaml b/pkg/fixtures/deployments/manifest/manifests/deployment.yaml index afcc0b950..2f60640ee 100644 --- a/pkg/fixtures/deployments/manifest/manifests/deployment.yaml +++ b/pkg/fixtures/deployments/manifest/manifests/deployment.yaml @@ -61,20 +61,18 @@ spec: drop: - ALL add: - - SETPCAP - - MKNOD - AUDIT_WRITE - CHOWN - DAC_OVERRIDE - FOWNER - FSETID - KILL + - MKNOD + - NET_BIND_SERVICE + - SETPCAP - SETGID - SETUID - - NET_BIND_SERVICE - SYS_CHROOT - - SETFCAP - - SYS_PTRACE affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: diff --git a/template/deployments/helm/charts/values.yaml b/template/deployments/helm/charts/values.yaml index 9bceb7bc1..43b458b96 100644 --- a/template/deployments/helm/charts/values.yaml +++ b/template/deployments/helm/charts/values.yaml @@ -115,20 +115,18 @@ securityContext: drop: - ALL add: - - SETPCAP - - MKNOD - AUDIT_WRITE - CHOWN - DAC_OVERRIDE - FOWNER - FSETID - KILL + - MKNOD + - NET_BIND_SERVICE + - SETPCAP - SETGID - SETUID - - NET_BIND_SERVICE - SYS_CHROOT - - SETFCAP - - SYS_PTRACE envVars: {{- range $key, $value := .Config.GetVariableValue "ENVVARS" }} diff --git a/template/deployments/kustomize/base/deployment.yaml b/template/deployments/kustomize/base/deployment.yaml index 36b428169..eb2053dc9 100644 --- a/template/deployments/kustomize/base/deployment.yaml +++ b/template/deployments/kustomize/base/deployment.yaml @@ -85,20 +85,18 @@ spec: drop: - ALL add: - - SETPCAP - - MKNOD - AUDIT_WRITE - CHOWN - DAC_OVERRIDE - FOWNER - FSETID - KILL + - MKNOD + - NET_BIND_SERVICE + - SETPCAP - SETGID - SETUID - - NET_BIND_SERVICE - SYS_CHROOT - - SETFCAP - - SYS_PTRACE affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: diff --git a/template/deployments/manifests/manifests/deployment.yaml b/template/deployments/manifests/manifests/deployment.yaml index 36b428169..eb2053dc9 100644 --- a/template/deployments/manifests/manifests/deployment.yaml +++ b/template/deployments/manifests/manifests/deployment.yaml @@ -85,20 +85,18 @@ spec: drop: - ALL add: - - SETPCAP - - MKNOD - AUDIT_WRITE - CHOWN - DAC_OVERRIDE - FOWNER - FSETID - KILL + - MKNOD + - NET_BIND_SERVICE + - SETPCAP - SETGID - SETUID - - NET_BIND_SERVICE - SYS_CHROOT - - SETFCAP - - SYS_PTRACE affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: From d953539d7259869f84df1a40c13514afde9ed9c8 Mon Sep 17 00:00:00 2001 From: Paul Yu Date: Fri, 21 Nov 2025 14:41:25 -0800 Subject: [PATCH 2/4] ci: pin to helm v3.19.0 to fix ci build errors --- .github/workflows/integration-per-language.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/integration-per-language.yml b/.github/workflows/integration-per-language.yml index 0c9545c0c..df8f331cb 100644 --- a/.github/workflows/integration-per-language.yml +++ b/.github/workflows/integration-per-language.yml @@ -100,7 +100,7 @@ jobs: overrideFiles: ./langtest/charts/values.yaml overrides: | replicas:2 - helm-version: "latest" + helm-version: "3.19.0" releaseName: "test-release" id: bake - name: Build and Push image From ebb095448275f91b048bcceee0d29297e55868e6 Mon Sep 17 00:00:00 2001 From: Paul Yu Date: Fri, 21 Nov 2025 14:52:19 -0800 Subject: [PATCH 3/4] ci: pin helm version to v3.19.2 --- .github/workflows/integration-per-language.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/integration-per-language.yml b/.github/workflows/integration-per-language.yml index df8f331cb..3e2acb7be 100644 --- a/.github/workflows/integration-per-language.yml +++ b/.github/workflows/integration-per-language.yml @@ -100,7 +100,7 @@ jobs: overrideFiles: ./langtest/charts/values.yaml overrides: | replicas:2 - helm-version: "3.19.0" + helm-version: "v3.19.2" releaseName: "test-release" id: bake - name: Build and Push image From b0a19da5ead28647dab4dfb9a0613dbb221de34a Mon Sep 17 00:00:00 2001 From: Paul Yu Date: Tue, 2 Dec 2025 18:16:19 -0800 Subject: [PATCH 4/4] ci: reverting helm version to latest in integration workflow --- .github/workflows/integration-per-language.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/integration-per-language.yml b/.github/workflows/integration-per-language.yml index 3e2acb7be..0c9545c0c 100644 --- a/.github/workflows/integration-per-language.yml +++ b/.github/workflows/integration-per-language.yml @@ -100,7 +100,7 @@ jobs: overrideFiles: ./langtest/charts/values.yaml overrides: | replicas:2 - helm-version: "v3.19.2" + helm-version: "latest" releaseName: "test-release" id: bake - name: Build and Push image