+1 -1

Makefile

reviewed

··· 3 3 # To re-generate a bundle for another specific version without changing the standard setup, you can: 4 4 # - use the VERSION as arg of the bundle target (e.g make bundle VERSION=0.0.2) 5 5 # - use environment variables to overwrite this value (e.g export VERSION=0.0.2) 6 6 - VERSION ?= 0.6.23 6 6 + VERSION ?= 0.6.24 7 7 8 8 # CHANNELS define the bundle channels used in the bundle. 9 9 # Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable")

+2 -2

helm/hsm-secrets-operator/Chart.yaml

reviewed

··· 2 2 name: hsm-secrets-operator 3 3 description: A Kubernetes operator that bridges Pico HSM binary data storage with Kubernetes Secrets 4 4 type: application 5 5 - version: 0.6.23 6 6 - appVersion: v0.6.23 5 5 + version: 0.6.24 6 6 + appVersion: v0.6.24 7 7 icon: https://raw.githubusercontent.com/cncf/artwork/master/projects/kubernetes/icon/color/kubernetes-icon-color.svg 8 8 home: https://github.com/evanjarrett/hsm-secrets-operator 9 9 sources:

+2 -6

internal/controller/hsmpool_agent_controller.go

reviewed

··· 664 664 }, 665 665 }, 666 666 SecurityContext: &corev1.SecurityContext{ 667 667 - Privileged: falsePtr, // Still no privileged containers 667 667 + Privileged: truePtr, // Still no privileged containers 668 668 AllowPrivilegeEscalation: falsePtr, // Still no privilege escalation 669 669 - ReadOnlyRootFilesystem: truePtr, // Possible with distroless 669 669 + ReadOnlyRootFilesystem: falsePtr, // Possible with distroless 670 670 RunAsNonRoot: falsePtr, // Root required for USB 671 671 RunAsUser: &rootUserId, 672 672 - Capabilities: &corev1.Capabilities{ 673 673 - Drop: []corev1.Capability{"ALL"}, // Drop all capabilities 674 674 - // No additional capabilities needed with root 675 675 - }, 676 672 SeccompProfile: &corev1.SeccompProfile{ 677 673 Type: corev1.SeccompProfileTypeRuntimeDefault, 678 674 },