C0: review CC init-container-isolation — defer retirement to post-ringtail

Runtime grafana pod matches the manifest and the CC's claim; bumped
last-reviewed. Noted that retiring init-chown-data in favor of fsGroup
alone should wait until grafana migrates to ringtail's k3s, since the
storage backend will change.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

compensating-controls.yaml

@@ -129,11 +129,16 @@ controls:
       containers run as non-root (UID 472) with all capabilities
       dropped.
     created: 2026-03-30
-    last-reviewed: 2026-03-30
+    last-reviewed: 2026-05-04
     notes: >-
       Verify by inspecting grafana deployment.yaml securityContext
       for both init and runtime containers. If fsGroup alone can
       handle PVC ownership, remove init-chown-data and this control.
+      Retirement deferred until grafana lands on ringtail's k3s
+      (see [[indri-k8s-migration]]) — storage backend will change,
+      and removing init-chown-data right before that migration
+      trades a real safety net for marginal cleanup. Revisit
+      post-migration.
 
   - id: node-config-automated-verification
     description: >-

docs/changelog.d/+review-cc-init-container-isolation.misc.md

@@ -0,0 +1 @@
+Reviewed compensating control `init-container-isolation` (35 days stale). Grafana's running pod matches the manifest and the CC's claim — only `init-chown-data` runs as root with `CHOWN`; runtime containers all run as UID 472 with all caps dropped. Retirement (replacing init-chown-data with `fsGroup` alone) is plausible given the in-tree minikube-hostpath provisioner, but deferred until grafana lands on ringtail's k3s — note added to the CC.