From c13aeca7faac88b933e28e9bb3e4daa97fdd411b Mon Sep 17 00:00:00 2001
From: Ryan White <4404175+alzabo@users.noreply.github.com>
Date: Tue, 22 Feb 2022 03:14:17 -0500
Subject: [PATCH] Modify capabilities for compatibility with Pod Security
 (#3274)

Kyverno manifests are incompatible with the restricted Pod Security
Standards included with Kubernetes 1.22 and 1.23 because the Pod
Security admission controller looks for "ALL" in securityContext.capabilities.drop,
but does not accept "all".

https://github.com/kubernetes/pod-security-admission/blob/1b741f89aa417a489aa68ec2d0cc65eeca8dff80/policy/check_capabilities_restricted.go#L88

Signed-off-by: Ryan White <ryan@alzabo.io>
---
 charts/kyverno/templates/deployment.yaml | 4 ++--
 config/install.yaml                      | 4 ++--
 config/manifest/deployment.yaml          | 4 ++--
 config/release/install.yaml              | 4 ++--
 4 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/charts/kyverno/templates/deployment.yaml b/charts/kyverno/templates/deployment.yaml
index 390d3f442c..c42eb3c41e 100644
--- a/charts/kyverno/templates/deployment.yaml
+++ b/charts/kyverno/templates/deployment.yaml
@@ -78,7 +78,7 @@ spec:
             readOnlyRootFilesystem: true
             capabilities:
               drop:
-                - all
+                - ALL
           env:
           - name: METRICS_CONFIG
             value: {{ template "kyverno.metricsConfigMapName" . }}
@@ -108,7 +108,7 @@ spec:
             readOnlyRootFilesystem: true
             capabilities:
               drop:
-                - all
+                - ALL
           ports:
           - containerPort: 9443
             name: https
diff --git a/config/install.yaml b/config/install.yaml
index 58f94531b7..3a4b438735 100644
--- a/config/install.yaml
+++ b/config/install.yaml
@@ -7957,7 +7957,7 @@ spec:
           allowPrivilegeEscalation: false
           capabilities:
             drop:
-            - all
+            - ALL
           privileged: false
           readOnlyRootFilesystem: true
           runAsNonRoot: true
@@ -7983,7 +7983,7 @@ spec:
           allowPrivilegeEscalation: false
           capabilities:
             drop:
-            - all
+            - ALL
           privileged: false
           readOnlyRootFilesystem: true
           runAsNonRoot: true
diff --git a/config/manifest/deployment.yaml b/config/manifest/deployment.yaml
index 01f296937a..921bf7cb31 100755
--- a/config/manifest/deployment.yaml
+++ b/config/manifest/deployment.yaml
@@ -54,7 +54,7 @@ spec:
             readOnlyRootFilesystem: true
             capabilities:
               drop:
-                - all
+                - ALL
           env:
             - name: METRICS_CONFIG
               value: kyverno-metrics
@@ -100,7 +100,7 @@ spec:
             readOnlyRootFilesystem: true
             capabilities:
               drop:
-                - all
+                - ALL
           resources:
             requests:
               memory: 128Mi
diff --git a/config/release/install.yaml b/config/release/install.yaml
index 58f94531b7..3a4b438735 100755
--- a/config/release/install.yaml
+++ b/config/release/install.yaml
@@ -7957,7 +7957,7 @@ spec:
           allowPrivilegeEscalation: false
           capabilities:
             drop:
-            - all
+            - ALL
           privileged: false
           readOnlyRootFilesystem: true
           runAsNonRoot: true
@@ -7983,7 +7983,7 @@ spec:
           allowPrivilegeEscalation: false
           capabilities:
             drop:
-            - all
+            - ALL
           privileged: false
           readOnlyRootFilesystem: true
           runAsNonRoot: true