suite: telemetry — Restricted Pod Security Standard hardening (best-practices fix regression net) release: name: t namespace: sim templates: - telemetry.yaml tests: - it: pod-level security context preserves the collector's original UID/GID/fsGroup and adds seccompProfile set: telemetry.enabled: true documentSelector: path: kind value: Deployment asserts: - equal: path: spec.template.spec.securityContext.runAsUser value: 10001 - equal: path: spec.template.spec.securityContext.runAsGroup value: 10001 - equal: path: spec.template.spec.securityContext.fsGroup value: 10001 - equal: path: spec.template.spec.securityContext.runAsNonRoot value: true - equal: path: spec.template.spec.securityContext.seccompProfile.type value: RuntimeDefault - equal: path: spec.template.spec.automountServiceAccountToken value: false - it: container-level security context matches the Restricted profile (same as every other workload) set: telemetry.enabled: true documentSelector: path: kind value: Deployment asserts: - equal: path: spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation value: false - equal: path: spec.template.spec.containers[0].securityContext.capabilities.drop[0] value: ALL - equal: path: spec.template.spec.containers[0].securityContext.runAsNonRoot value: true - equal: path: spec.template.spec.containers[0].securityContext.seccompProfile.type value: RuntimeDefault