deckhouse · universal-itengineer · Jan 13, 2026 · Dec 25, 2025 · Dec 29, 2025 · Jan 13, 2026
@@ -66,3 +66,14 @@ nodeSelector:
 true
 {{- end }}
 {{- end }}
+
+{{- define "vpa.policyUpdateMode" -}}
+{{-   $kubeVersion := .Values.global.discovery.kubernetesVersion -}}
+{{-   $updateMode := "" -}}
+{{-   if semverCompare ">=1.33.0" $kubeVersion -}}
+{{-     $updateMode = "InPlaceOrRecreate" -}}
+{{-   else -}}
+{{-     $updateMode = "Recreate" -}}
+{{-   end }}
+{{- $updateMode }}
+{{- end }}
@@ -12,7 +12,7 @@ spec:
     kind: Deployment
     name: cdi-apiserver
   updatePolicy:
-    updateMode: "Auto"
+    updateMode: {{ include "vpa.policyUpdateMode" . }}
   resourcePolicy:
     containerPolicies:
     {{- include "kube_api_rewriter.vpa_container_policy" . | nindent 4 }}

@@ -12,7 +12,7 @@ spec:
     kind: Deployment
     name: cdi-deployment
   updatePolicy:
-    updateMode: "Auto"
+    updateMode: {{ include "vpa.policyUpdateMode" . }}
   resourcePolicy:
     containerPolicies:
     {{- include "kube_api_rewriter.vpa_container_policy" . | nindent 4 }}

@@ -32,7 +32,7 @@ spec:
     kind: Deployment
     name: cdi-operator
   updatePolicy:
-    updateMode: "Auto"
+    updateMode: {{ include "vpa.policyUpdateMode" . }}
   resourcePolicy:
     containerPolicies:
     {{- include "kube_api_rewriter.vpa_container_policy" . | nindent 4 }}
@@ -89,7 +89,7 @@ spec:
       ) }}
       {{- include "kube_rbac_proxy.sidecar_container" (tuple . $kubeRbacProxySettings) | nindent 6 }}
       - name: cdi-operator
-        {{- include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all" . | nindent 8 }}
+        {{- include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_pss_restricted" . | nindent 8 }}
         env:
         {{- include "kube_api_rewriter.kubeconfig_env" . | nindent 8 }}
         {{- include "cdi_images" . | nindent 8 }}

@@ -19,7 +19,7 @@ spec:
     kind: Deployment
     name: dvcr
   updatePolicy:
-    updateMode: "Auto"
+    updateMode: {{ include "vpa.policyUpdateMode" . }}
   resourcePolicy:
     containerPolicies:
     {{- include "kube_rbac_proxy.vpa_container_policy" . | nindent 4 }}
@@ -66,7 +66,7 @@ spec:
       {{ include "helm_lib_pod_anti_affinity_for_ha" (list . (dict "app" "dvcr")) | nindent 6 }}
       containers:
         - name: dvcr
-          {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 10 }}
+          {{- include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_pss_restricted" . | nindent 10 }}
           image: {{ include "helm_lib_module_image" (list . "dvcr") }}
           imagePullPolicy: IfNotPresent
           command:

@@ -2,7 +2,7 @@
 {{- $ctx := index . 0 }}
 {{- $settings := index . 1 }}
 - name: {{ $settings.containerName | default "kube-rbac-proxy" }}
-  {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" $ctx | nindent 2 }}
+  {{- include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_pss_restricted" $ctx | nindent 2 }}
   {{- if eq $settings.runAsUserNobody true }}
     runAsNonRoot: true
     runAsUser: 65534

@@ -12,7 +12,7 @@ spec:
     kind: Deployment
     name: virt-api
   updatePolicy:
-    updateMode: "Auto"
+    updateMode: {{ include "vpa.policyUpdateMode" . }}
   resourcePolicy:
     containerPolicies:
     {{- include "kube_api_rewriter.vpa_container_policy" . | nindent 4 }}

@@ -12,7 +12,7 @@ spec:
     kind: Deployment
     name: virt-controller
   updatePolicy:
-    updateMode: "Auto"
+    updateMode: {{ include "vpa.policyUpdateMode" . }}
   resourcePolicy:
     containerPolicies:
     {{- include "kube_api_rewriter.vpa_container_policy" . | nindent 4 }}

@@ -12,7 +12,7 @@ spec:
     kind: DaemonSet
     name: virt-handler
   updatePolicy:
-    updateMode: "Auto"
+    updateMode: {{ include "vpa.policyUpdateMode" . }}
   resourcePolicy:
     containerPolicies:
     {{- include "kube_api_rewriter.vpa_container_policy" . | nindent 4 }}

@@ -29,7 +29,7 @@ spec:
     kind: Deployment
     name: virt-operator
   updatePolicy:
-    updateMode: "Auto"
+    updateMode: {{ include "vpa.policyUpdateMode" . }}
   resourcePolicy:
     containerPolicies:
     {{- include "kube_api_rewriter.vpa_container_policy" . | nindent 4 }}
@@ -107,7 +107,7 @@ spec:
       ) }}
       {{- include "kube_rbac_proxy.sidecar_container" (tuple . $kubeRbacProxySettings) | nindent 6 }}
       - name: virt-operator
-        {{- include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all" . | nindent 8 }}
+        {{- include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_pss_restricted" . | nindent 8 }}
         args:
         - --port
         - "8443"

@@ -17,8 +17,8 @@ spec:
       restartPolicy: Never
       serviceAccountName: virtualization-pre-delete-hook
       containers:
-      - name: virtualization-pre-delete-hook
-        {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 8 }}
+      - name: pre-delete-hook
+        {{- include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_pss_restricted" . | nindent 8 }}
         image: {{ include "helm_lib_module_image" (list . "preDeleteHook") }}
         env:
         - name: WAIT_TIMEOUT

@@ -22,7 +22,7 @@ spec:
     kind: Deployment
     name: virtualization-api
   updatePolicy:
-    updateMode: "Auto"
+    updateMode: {{ include "vpa.policyUpdateMode" . }}
   resourcePolicy:
     containerPolicies:
       - containerName: virtualization-api
@@ -75,7 +75,7 @@ spec:
       {{ include "helm_lib_pod_anti_affinity_for_ha" (list . (dict "app" "virtualization-api")) | nindent 6 }}
       containers:
         - name: virtualization-api
-          {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 10 }}
+          {{- include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_pss_restricted" . | nindent 10 }}
           args:
             - --kubevirt-cabundle=/etc/virt-api/certificates/ca.crt
             - --kubevirt-endpoint=virt-api.d8-{{ .Chart.Name}}.svc

@@ -22,7 +22,7 @@ spec:
     kind: Deployment
     name: virtualization-audit
   updatePolicy:
-    updateMode: "Auto"
+    updateMode: {{ include "vpa.policyUpdateMode" . }}
   resourcePolicy:
     containerPolicies:
       - containerName: virtualization-audit

@@ -22,7 +22,7 @@ spec:
     kind: Deployment
     name: virtualization-controller
   updatePolicy:
-    updateMode: "Auto"
+    updateMode: {{ include "vpa.policyUpdateMode" . }}
   resourcePolicy:
     containerPolicies:
     {{- include "kube_api_rewriter.vpa_container_policy" . | nindent 4 }}
@@ -78,7 +78,7 @@ spec:
       containers:
         {{- include "kube_api_rewriter.sidecar_container" . | nindent 8 }}
         - name: virtualization-controller
-          {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 10 }}
+          {{- include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_pss_restricted" . | nindent 10 }}
           image: {{ include "helm_lib_module_image" (list . "virtualizationController") }}
           imagePullPolicy: IfNotPresent
           {{- if (.Values.global.enabledModules | has "sdn") }}

@@ -22,7 +22,7 @@ spec:
     kind: DaemonSet
     name: vm-route-forge
   updatePolicy:
-    updateMode: "Auto"
+    updateMode: {{ include "vpa.policyUpdateMode" . }}
   resourcePolicy:
     containerPolicies:
     - containerName: vm-route-forge