Currently after doing a default install with certmanager to get the TLS trust with the api server, the next upgrade requires updating the helm value set to include the public cert. Instead of doing this and making the user do something, we should do the following.

• Allow omitting the public cert
• Add watching of the TLS object or files and update the mutating webhook configuration, this is needed for rotations anyways

Add configurable map of annotations and values that when present on the pod will not be mutated.

Add the ability to define a matcher as a key in a map, when a pod matches the key, use the override set for securityContexts to override the defaults. The intent here is to provide way to handle workloads that don't function with the default settings (perhaps UID:GID conflicts) where mechanisms to harden the securityContext are not available (third party tools that don't expose setting securityContexts).

Increase the default allocations to give a bit more head room, also wire readiness/liveness probes in to be better than just a socket check.

Add ability to scope requests sent to hook using selectors.

Object level:
https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector

Namespace level: https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector

Conditions:
https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchconditions

These should be optional pass through defines

As a maintainer I want an option to scramble the GID/UID of workloads that support it.

AC

1. Must have a global option to enable/disable the behavior
2. Must have an option to set the UID/GID ranges
3. Must have an annotation that can be set on the pod to disable the behavior.
4. Must have an option to only do this for workloads that do not specify a UID/GID

Options.

• .enableRandomUID (boolean)
• .enableOverridingExistingUID (boolean)
• .UIDRanges (array of objects containging start, stop numbers)
• .ignoreRandomUIDAnnotation (string) default 'github.io/bryopsida/psa-restricted-patcher/disable-random-uid'

Randomizer will randomly pick a range pool, and then randomly get a range from that pool, if Redis is available it will check to see if the UID/GID has recently been used and retry.

Add the ability to config the desired behavior of reinvocation: https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchconditions

Failure policy: https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchconditions

and timouts: https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchconditions

Define defaults in values.yaml and set values on manifest.

Update to version 1.0.x of the node kubernetes client when its out of RC.

kubernetes-client/javascript#290

Add artifacthub metadata file: https://github.com/artifacthub/hub/blob/master/docs/metadata/artifacthub-repo.yml

• Verified
• Official

When capabilities or capabilities.dropis not provided, automatically setcapabilities.drop = ["ALL"]`

Add a topology spread: https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ to encourage spreading the pods across nodes for a higher fault tolerance on node failure. Make permissive so if only one node is available the desired pod counts can still be obtained.