// to all containers of a pod.
	// Deprecated: set a pod security context `seccompProfile` field.
	SeccompPodAnnotationKey string = "seccomp.security.alpha.kubernetes.io/pod"

	// SeccompContainerAnnotationKeyPrefix represents the key of a seccomp profile applied
	// to one container of a pod.
	// Deprecated: set a container security context `seccompProfile` field.

	// to all containers of a pod.
	// Deprecated: set a pod security context `seccompProfile` field.
	SeccompPodAnnotationKey string = "seccomp.security.alpha.kubernetes.io/pod"

	// SeccompContainerAnnotationKeyPrefix represents the key of a seccomp profile applied
	// to one container of a pod.
	// Deprecated: set a container security context `seccompProfile` field.

              # There does not appear to be a more granular capability for this.
              - SYS_ADMIN
{{- if .Values.cni.seccompProfile }}
            seccompProfile:
{{ toYaml .Values.cni.seccompProfile | trim | indent 14 }}
{{- end }}
          command: ["install-cni"]
          args:
            {{- if .Values.global.logging.level }}

            readOnlyRootFilesystem: true
            runAsNonRoot: true
            capabilities:
              drop:
              - ALL
{{- if .Values.pilot.seccompProfile }}
            seccompProfile:
{{ toYaml .Values.pilot.seccompProfile | trim | indent 14 }}
{{- end }}
          volumeMounts:
          - name: istio-token
            mountPath: /var/run/secrets/tokens
            readOnly: true

spec:
  selector:
    matchLabels:
      k8s-app: glbc
  template:
    metadata:
      labels:
        k8s-app: glbc
        name: glbc
    spec:
      securityContext:
        seccompProfile:
          type: RuntimeDefault
      containers:
      - name: default-http-backend
        # Any image is permissible as long as:
        # 1. It serves a 404 page at /

apiVersion: v1
kind: Pod
metadata:
  name: kube-addon-manager
  namespace: kube-system
  labels:
    component: kube-addon-manager
spec:
  securityContext:
    seccompProfile:
      type: RuntimeDefault
    runAsUser: {{runAsUser}}
    runAsGroup: {{runAsGroup}}
  priorityClassName: system-node-critical
  priority: 2000001000
  hostNetwork: true
  containers:
  - name: kube-addon-manager
    securityContext:

    resources:
      limits:
        cpu: 200m
        memory: 256Mi
      requests:
        cpu: 50m
        memory: 128Mi
    # Set to `type: RuntimeDefault` to use the default profile if available.
    seccompProfile: {}

  # Node labels for pod assignment
  nodeSelector: {}

  # Tolerations for pod assignment
  tolerations: []

  # Affinity for pod assignment
  affinity: {}

kind: Pod
metadata:
  name: konnectivity-server
  namespace: kube-system
  component: konnectivity-server
spec:
  securityContext:
    {{ run_as_user }}
    {{ run_as_group }}
    {{ supplemental_groups }}
    seccompProfile:
      type: RuntimeDefault
  priorityClassName: system-node-critical
  priority: 2000001000
  hostNetwork: true
  containers:
  - name: konnectivity-server-container
    {{ container_security_context }}:

            "component": "cluster-autoscaler"
        }
    },
    "spec": {
        "securityContext": {
            {{runAsUser}}
            {{runAsGroup}}
            {{supplementalGroups}}
            "seccompProfile": {
                "type": "RuntimeDefault"
            }
        },
        "hostNetwork": true,
        "containers": [
            {
                "name": "cluster-autoscaler",

	t.Helper()
	wantPodSecurityContext := &v1.PodSecurityContext{
		RunAsUser:          ptr.To(wantRunAsUser),
		RunAsGroup:         ptr.To(wantRunAsGroup),
		SupplementalGroups: wantSupGroup,
		SeccompProfile: &v1.SeccompProfile{
			Type: v1.SeccompProfileTypeRuntimeDefault,
		},
	}
	if !reflect.DeepEqual(wantPodSecurityContext, pod.Spec.SecurityContext) {