vikingowl
1ba8f856b4
Previous deploys emitted 4 warnings on the discovery-tick Pod template against the restricted:latest policy. Today they are warnings; if the namespace enforcement tightens, admission will silently drop the Pod. Pod-level: runAsNonRoot, runAsUser/runAsGroup 100 (curlimages/curl's built-in non-root UID), seccompProfile RuntimeDefault. Container-level: allowPrivilegeEscalation false, capabilities drop ALL.