- find accounts whose group memberships have changed; access policies available to a credential are updated to reflect the change, i.e. they will lose any privileges associated with a group they are removed from, and gain any privileges associated with a group they are added to.

	// Instead, we track which UIDs we repaired and skip them if already repaired.
	//
	// An alternative would be to write something to the Pod (status, annotation, etc).
	// However, this requires elevated privileges we want to avoid
	if uid, f := c.repairedPods[key]; f {
		if uid == pod.UID {
			log.Debugf("Skipping pod, already repaired")
		} else {

## Privileges required

  repeated PodSecurityPolicy items = 2;
}

// PodSecurityPolicySpec defines the policy enforced.
message PodSecurityPolicySpec {
  // privileged determines if a pod can request to be run as privileged.
  // +optional
  optional bool privileged = 1;

  // defaultAddCapabilities is the default set of capabilities that will be added to the container

```

This tells Traefik to listen on port 9999 and to use another file `routes.toml`.

!!! tip
    We are using port 9999 instead of the standard HTTP port 80 so that you don't have to run it with admin (`sudo`) privileges.

Now create that other file `routes.toml`:

```TOML hl_lines="5  12  20"
[http]
  [http.middlewares]

    [http.middlewares.api-stripprefix.stripPrefix]
      prefixes = ["/api/v1"]

   * <p>NOTE: This method is failsafe for security purposes: ALL IPv6 addresses (except localhost
   * (::1)) are hashed to avoid the security risk associated with extracting an embedded IPv4
   * address that might permit elevated privileges.
   *
   * @param ip {@link InetAddress} to "coerce"
   * @return {@link Inet4Address} represented "coerced" address
   * @since 7.0
   */
  public static Inet4Address getCoercedIPv4Address(InetAddress ip) {

	}

	// 3.2 check that user cannot delete the bucket
	err = uClient.RemoveBucket(ctx, bucket)
	if err == nil || err.Error() != "Access Denied." {
		c.Fatalf("User was able to escalate privileges (Err=%v)!", err)
	}
}

func (s *TestSuiteIAM) TestAddServiceAccountPerms(c *check) {
	ctx, cancel := context.WithTimeout(context.Background(), testDefaultTimeout)
	defer cancel()

	// 1. Create a policy

      value: "{{ $value }}"
    {{- end }}
  {{- end }}
    resources:
  {{ template "resources" . }}
    securityContext:
      allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
      privileged: {{ .Values.global.proxy.privileged }}
      capabilities:
    {{- if not (or .Values.pilot.cni.enabled .Values.istio_cni.enabled) }}
        add:
        - NET_ADMIN
        - NET_RAW
    {{- end }}
        drop:

      value: "{{ $value }}"
    {{- end }}
  {{- end }}
    resources:
  {{ template "resources" . }}
    securityContext:
      allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
      privileged: {{ .Values.global.proxy.privileged }}
      capabilities:
    {{- if not (or .Values.pilot.cni.enabled .Values.istio_cni.enabled) }}
        add:
        - NET_ADMIN
        - NET_RAW
    {{- end }}
        drop:

            - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited
          securityContext:
            runAsUser: 0
            runAsGroup: 0
            runAsNonRoot: false
            privileged: true
{{- end }}
      containers:
        - name: istio-proxy
{{- if contains "/" .Values.global.proxy.image }}
          image: "{{ .Values.global.proxy.image }}"
{{- else }}