Avo Sepp

I'd like to add we've been running 2.9.x and allowing Kubernetes to pick up the latest patch. So whatever is latest currently is in production under our roof, without issue...

So if I change it off from root, it will not cause an issue running the application?

More info, this problem is seen on `native` and `default` worker groups. I don't think we're running any other worker groups, so I cannot confirm/deny those.

``` windmill: baseDomain: "redacted" baseProtocol: "https" databaseUrlSecretName: "redacted" databaseUrlSecretKey: url postgresql: enabled: false ingress: enabled: true className: "nginx" tls: - hosts: - "redacted" secretName: redacted annotations: nginx.ingress.kubernetes.io/affinity: "cookie" nginx.ingress.kubernetes.io/affinity-mode: "persistent"...

The Helm chart is being rendered and applied by ArgoCD. When rendered on the CLI the indenting is off. It looks like... ``` containers: - name: windmill-worker securityContext: runAsNonRoot: false...

Thank you. That's good information. Is there anything mounted in `/tmp`? If I overwrite that directory with an ephemeral/empty volume will any important data be blown away?

https://github.com/argoproj/argo-cd/blob/8dff209cba4044ec8d0ff8ec32dd79bded7bafaf/manifests/ha/install.yaml#L22943 Line where change occurred. There are a few lines for HAProxy and Redis in this file that were all changed. You can search `ecr.aws` to find the changes. https://github.com/argoproj/argo-cd/commit/f1a449e83ee73f8f14d441563b6a31b504f8d8b0#diff-f57b731949fe998635a3f1de62d2cd7c5ae7139f7b288af17ee7f7166f3f5b6a...

Also worth noting that the non-ha installs still use Docker Hub for HAProxy and Redis. This change only affects HA installers. Sort of a weird thing I noticed. Why use...

Thank you Michael! That makes a lot of sense.

Looks good. I would suggest using the word Policy for Cosign. Something like "make sure your Image Validation policy includes the AWS ECR as an approved registry"