Erich Blume
24e5490259
Runtime grafana pod matches the manifest and the CC's claim; bumped last-reviewed. Noted that retiring init-chown-data in favor of fsGroup alone should wait until grafana migrates to ringtail's k3s, since the storage backend will change. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
450 B
450 B
Reviewed compensating control init-container-isolation (35 days stale). Grafana's running pod matches the manifest and the CC's claim — only init-chown-data runs as root with CHOWN; runtime containers all run as UID 472 with all caps dropped. Retirement (replacing init-chown-data with fsGroup alone) is plausible given the in-tree minikube-hostpath provisioner, but deferred until grafana lands on ringtail's k3s — note added to the CC.