Mac Chaffee

Looks like you would still have to edit the content security policy to get base64 images to appear, but doing that at least still protects you from XSS in theory.

I ended up having to run `sudo apt-get install libluajit-5.1-2` in addition to the steps you described, but after that, it's working!

Oh it already checks the securityContext, nvm: https://github.com/open-policy-agent/gatekeeper-library/blob/259ad1bdd8945d6df451d3fc2867109d76b854e2/library/pod-security-policy/seccomp/template.yaml#L208

The mutating part does need to be updated still: https://github.com/open-policy-agent/gatekeeper-library/blob/259ad1bdd8945d6df451d3fc2867109d76b854e2/mutation/pod-security-policy/seccomp/samples/mutation.yaml

Hmm the following procedure does work fine (no error observed): 1. Remove all of the CRDs 2. `helm del gatekeeper-n gatekeeper` 3. `helm upgrade --install -n gatekeeper --version v3.7.0 ...`...

Hmm no that doesn't seem to fix it either. This is how I manually installed the CRDs: ``` git clone [email protected]:open-policy-agent/gatekeeper.git cd gatekeeper git checkout v3.7.0 kubectl apply -f charts/gatekeeper/crds/...

I see the errors during step 6 "Install the latest version of gatekeeper-library". I don't see any errors in that field: ``` $ kubectl get constrainttemplates.templates.gatekeeper.sh k8spsphostnamespace -o yaml ......

Nice find! Should we set `legacySchema: true` on the affected resources in this repo? (k8spspallowprivilegeescalationcontainer, k8spsphostnamespace, k8spspprivilegedcontainer, k8spspreadonlyrootfilesystem) Or convert them to the "non-legacy" schema? Sorry I might not be...

@pjbgf I was thinking the same thing originally about `--disable-cache-for`, but then we'd have to parse strings like "core/v1/Secrets" into Kubernetes objects, which didn't seem straightforward to me (although I...

This issue looks relevant: https://github.com/kubernetes-sigs/controller-runtime/issues/550#issuecomment-518818318