apiVersion: v1
kind: Pod
metadata:
  labels:
    run: target
  name: target
spec:
  securityContext:
    seccompProfile: 
      type: Localhost
      localhostProfile: dummy.json
  containers:
  - image: busybox
    name: target
    command: ["/bin/sh", "-c", "sleep 100"]
    securityContext:
        runAsUser: 1000
        runAsGroup: 1000
        runAsNonRoot: true
        allowPrivilegeEscalation: false

	// to all containers of a pod.
	// Deprecated: set a pod security context `seccompProfile` field.
	SeccompPodAnnotationKey string = "seccomp.security.alpha.kubernetes.io/pod"

	// SeccompContainerAnnotationKeyPrefix represents the key of a seccomp profile applied
	// to one container of a pod.
	// Deprecated: set a container security context `seccompProfile` field.

	// to all containers of a pod.
	// Deprecated: set a pod security context `seccompProfile` field.
	SeccompPodAnnotationKey string = "seccomp.security.alpha.kubernetes.io/pod"

	// SeccompContainerAnnotationKeyPrefix represents the key of a seccomp profile applied
	// to one container of a pod.
	// Deprecated: set a container security context `seccompProfile` field.

              # There does not appear to be a more granular capability for this.
              - SYS_ADMIN
{{- if .Values.cni.seccompProfile }}
            seccompProfile:
{{ toYaml .Values.cni.seccompProfile | trim | indent 14 }}
{{- end }}
          command: ["install-cni"]
          args:
            {{- if .Values.global.logging.level }}

            readOnlyRootFilesystem: true
            runAsNonRoot: true
            capabilities:
              drop:
              - ALL
{{- if .Values.pilot.seccompProfile }}
            seccompProfile:
{{ toYaml .Values.pilot.seccompProfile | trim | indent 14 }}
{{- end }}
          volumeMounts:
          - name: istio-token
            mountPath: /var/run/secrets/tokens
            readOnly: true

"kind": "Pod",
"metadata": {
  "name":"kube-scheduler",
  "namespace": "kube-system",
  "labels": {
    "tier": "control-plane",
    "component": "kube-scheduler"
  }
},
"spec":{
"securityContext": {
  "seccompProfile": {
      "type": "RuntimeDefault"
  },
  "runAsUser": {{runAsUser}},
  "runAsGroup": {{runAsGroup}}
},
"priorityClassName": "system-node-critical",
"priority": 2000001000,
"hostNetwork": true,

spec:
  selector:
    matchLabels:
      k8s-app: glbc
  template:
    metadata:
      labels:
        k8s-app: glbc
        name: glbc
    spec:
      securityContext:
        seccompProfile:
          type: RuntimeDefault
      containers:
      - name: default-http-backend
        # Any image is permissible as long as:
        # 1. It serves a 404 page at /

apiVersion: v1
kind: Pod
metadata:
  name: kube-addon-manager
  namespace: kube-system
  labels:
    component: kube-addon-manager
spec:
  securityContext:
    seccompProfile:
      type: RuntimeDefault
    runAsUser: {{runAsUser}}
    runAsGroup: {{runAsGroup}}
  priorityClassName: system-node-critical
  priority: 2000001000
  hostNetwork: true
  containers:
  - name: kube-addon-manager
    securityContext:

    resources:
      limits:
        cpu: 200m
        memory: 256Mi
      requests:
        cpu: 50m
        memory: 128Mi
    # Set to `type: RuntimeDefault` to use the default profile if available.
    seccompProfile: {}

  # Node labels for pod assignment
  nodeSelector: {}

  # Tolerations for pod assignment
  tolerations: []

  # Affinity for pod assignment
  affinity: {}

kind: Pod
metadata:
  name: konnectivity-server
  namespace: kube-system
  component: konnectivity-server
spec:
  securityContext:
    {{ run_as_user }}
    {{ run_as_group }}
    {{ supplemental_groups }}
    seccompProfile:
      type: RuntimeDefault
  priorityClassName: system-node-critical
  priority: 2000001000
  hostNetwork: true
  containers:
  - name: konnectivity-server-container
    {{ container_security_context }}: