verbs: ["watch", "get", "list"]
{{- if .Values.cni.repair.repairPods }}
{{- /*  No privileges needed*/}}
{{- else if .Values.cni.repair.deletePods }}
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["delete"]
{{- else if .Values.cni.repair.labelPods }}
  - apiGroups: [""]
    {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}}
    resources: ["pods/status"]

	Remove(ctx context.Context, object string, rv remoteVersionID) error
	InUse(ctx context.Context) (bool, error)
}

const probeObject = "probeobject"

// checkWarmBackend checks if tier config credentials have sufficient privileges
// to perform all operations defined in the WarmBackend interface.
func checkWarmBackend(ctx context.Context, w WarmBackend) error {
	remoteVersionID, err := w.Put(ctx, probeObject, strings.NewReader("MinIO"), 5)

    inject.istio.io/templates: "gateway"
    sidecar.istio.io/inject: "true"

  # Define the security context for the pod.
  # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
  # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
  securityContext: ~
  containerSecurityContext: ~

  service:

              port: 8000
          securityContext:
            privileged: true # always requires privilege to be useful (install node plugin, etc)
            runAsGroup: 0
            runAsUser: 0
            runAsNonRoot: false
            # Both ambient and sidecar repair mode require elevated node privileges to function.
            # But we don't need _everything_ in `privileged`, so drop+readd capabilities based on feature.

- find accounts whose group memberships have changed; access policies available to a credential are updated to reflect the change, i.e. they will lose any privileges associated with a group they are removed from, and gain any privileges associated with a group they are added to.

Date:   Sat Jun 15 11:27:17 2019 -0700

    [security] Match ${aws:username} exactly instead of prefix match (#7791)

    This PR fixes a security issue where an IAM user based
    on his policy is granted more privileges than restricted
    by the users IAM policy.

    This is due to an issue of prefix based Matcher() function
    which was incorrectly matching prefix based on resource
    prefixes instead of exact match.
```

	// Instead, we track which UIDs we repaired and skip them if already repaired.
	//
	// An alternative would be to write something to the Pod (status, annotation, etc).
	// However, this requires elevated privileges we want to avoid
	if uid, f := c.repairedPods[key]; f {
		if uid == pod.UID {
			log.Debugf("Skipping pod, already repaired")
		} else {

## Privileges required

This client could be a browser with a frontend, a code from someone else, an IoT device, etc.

You could need to tell the client that:

* The client doesn't have enough privileges for that operation.
* The client doesn't have access to that resource.
* The item the client was trying to access doesn't exist.
* etc.

```

This tells Traefik to listen on port 9999 and to use another file `routes.toml`.

!!! tip
    We are using port 9999 instead of the standard HTTP port 80 so that you don't have to run it with admin (`sudo`) privileges.

Now create that other file `routes.toml`:

```TOML hl_lines="5  12  20"
[http]
  [http.middlewares]

    [http.middlewares.api-stripprefix.stripPrefix]
      prefixes = ["/api/v1"]