Modify capabilities for compatibility with Pod Security (#3274)

Kyverno manifests are incompatible with the restricted Pod Security Standards included with Kubernetes 1.22 and 1.23 because the Pod Security admission controller looks for "ALL" in securityContext.capabilities.drop, but does not accept "all". 1b741f89aa/policy/check_capabilities_restricted.go (L88) Signed-off-by: Ryan White <ryan@alzabo.io>
2025-03-31 03:45:17 +00:00 · 2022-02-22 03:14:17 -05:00 · 2022-02-22 03:14:17 -05:00 · c13aeca7fa
commit c13aeca7fa
parent 99efd8136f
4 changed files with 8 additions and 8 deletions
--- a/charts/kyverno/templates/deployment.yaml
+++ b/charts/kyverno/templates/deployment.yaml
@ -78,7 +78,7 @@ spec:
            readOnlyRootFilesystem: true
            capabilities:
              drop:
-                - all
+                - ALL
          env:
          - name: METRICS_CONFIG
            value: {{ template "kyverno.metricsConfigMapName" . }}
@ -108,7 +108,7 @@ spec:
            readOnlyRootFilesystem: true
            capabilities:
              drop:
-                - all
+                - ALL
          ports:
          - containerPort: 9443
            name: https
--- a/config/install.yaml
+++ b/config/install.yaml
@ -7957,7 +7957,7 @@ spec:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
-            - all
+            - ALL
          privileged: false
          readOnlyRootFilesystem: true
          runAsNonRoot: true
@ -7983,7 +7983,7 @@ spec:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
-            - all
+            - ALL
          privileged: false
          readOnlyRootFilesystem: true
          runAsNonRoot: true
--- a/config/manifest/deployment.yaml
+++ b/config/manifest/deployment.yaml
@ -54,7 +54,7 @@ spec:
            readOnlyRootFilesystem: true
            capabilities:
              drop:
-                - all
+                - ALL
          env:
            - name: METRICS_CONFIG
              value: kyverno-metrics
@ -100,7 +100,7 @@ spec:
            readOnlyRootFilesystem: true
            capabilities:
              drop:
-                - all
+                - ALL
          resources:
            requests:
              memory: 128Mi
--- a/config/release/install.yaml
+++ b/config/release/install.yaml
@ -7957,7 +7957,7 @@ spec:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
-            - all
+            - ALL
          privileged: false
          readOnlyRootFilesystem: true
          runAsNonRoot: true
@ -7983,7 +7983,7 @@ spec:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
-            - all
+            - ALL
          privileged: false
          readOnlyRootFilesystem: true
          runAsNonRoot: true