kubernetes-sigs
diff --git a/‎pkg/plugins/common/kustomize/v1/scaffolds/internal/templates/config/kdefault/manager_auth_proxy_patch.go
Lines changed: 0 additions & 9 deletions b/‎pkg/plugins/common/kustomize/v1/scaffolds/internal/templates/config/kdefault/manager_auth_proxy_patch.go
Lines changed: 0 additions & 9 deletions
diff --git a/‎pkg/plugins/common/kustomize/v1/scaffolds/internal/templates/config/kdefault/manager_config_patch.go
Lines changed: 0 additions & 14 deletions b/‎pkg/plugins/common/kustomize/v1/scaffolds/internal/templates/config/kdefault/manager_config_patch.go
Lines changed: 0 additions & 14 deletions
diff --git a/‎pkg/plugins/common/kustomize/v1/scaffolds/internal/templates/config/kdefault/webhook_manager_patch.go
Lines changed: 0 additions & 9 deletions b/‎pkg/plugins/common/kustomize/v1/scaffolds/internal/templates/config/kdefault/webhook_manager_patch.go
Lines changed: 0 additions & 9 deletions
diff --git a/‎pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/manager_auth_proxy_patch.go
Lines changed: 0 additions & 4 deletions b/‎pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/manager_auth_proxy_patch.go
Lines changed: 0 additions & 4 deletions
diff --git a/‎pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/manager_config_patch.go
Lines changed: 0 additions & 14 deletions b/‎pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/manager_config_patch.go
Lines changed: 0 additions & 14 deletions
diff --git a/‎pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/webhook_manager_patch.go
Lines changed: 0 additions & 9 deletions b/‎pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/webhook_manager_patch.go
Lines changed: 0 additions & 9 deletions
diff --git a/‎pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/manager/config.go
Lines changed: 5 additions & 0 deletions b/‎pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/manager/config.go
Lines changed: 5 additions & 0 deletions
diff --git a/‎pkg/plugins/golang/v2/scaffolds/internal/templates/config/kdefault/manager_auth_proxy_patch.go
Lines changed: 0 additions & 9 deletions b/‎pkg/plugins/golang/v2/scaffolds/internal/templates/config/kdefault/manager_auth_proxy_patch.go
Lines changed: 0 additions & 9 deletions
diff --git a/‎pkg/plugins/golang/v2/scaffolds/internal/templates/config/kdefault/webhook_manager_patch.go
Lines changed: 0 additions & 9 deletions b/‎pkg/plugins/golang/v2/scaffolds/internal/templates/config/kdefault/webhook_manager_patch.go
Lines changed: 0 additions & 9 deletions
diff --git a/‎test/e2e/v3/plugin_cluster_test.go
Lines changed: 17 additions & 8 deletions b/‎test/e2e/v3/plugin_cluster_test.go
Lines changed: 17 additions & 8 deletions
@@ -53,10 +53,6 @@ metadata:
 spec:
   template:
     spec:
-      securityContext:
-        runAsNonRoot: true
-        seccompProfile:
-          type: RuntimeDefault		
       containers:
       - name: kube-rbac-proxy
         securityContext:
@@ -83,11 +79,6 @@ spec:
             memory: 64Mi
 {{- if not .ComponentConfig }}
       - name: manager
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-              - ALL
         args:
         - "--health-probe-bind-address=:8081"
         - "--metrics-bind-address=127.0.0.1:8080"
 
@@ -48,17 +48,8 @@ metadata:
 spec:
   template:
     spec:
-      securityContext:
-        runAsNonRoot: true
-        seccompProfile:
-          type: RuntimeDefault
       containers:
       - name: manager
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-              - ALL
         args:
         - "--config=controller_manager_config.yaml"
         volumeMounts:
@@ -67,11 +58,6 @@ spec:
           subPath: controller_manager_config.yaml
       volumes:
       - name: manager-config
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-              - ALL
         configMap:
           name: manager-config
 `
@@ -57,17 +57,8 @@ metadata:
 spec:
   template:
     spec:
-      securityContext:
-        runAsNonRoot: true
-        seccompProfile:
-          type: RuntimeDefault
       containers:
       - name: manager
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-              - ALL
         ports:
         - containerPort: 9443
           name: webhook-server
 
@@ -53,10 +53,6 @@ metadata:
 spec:
   template:
     spec:
-      securityContext:
-        runAsNonRoot: true
-        seccompProfile:
-          type: RuntimeDefault		
       containers:
       - name: kube-rbac-proxy
         securityContext:
 
@@ -48,17 +48,8 @@ metadata:
 spec:
   template:
     spec:
-      securityContext:
-        runAsNonRoot: true
-        seccompProfile:
-          type: RuntimeDefault
       containers:
       - name: manager
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-              - ALL
         args:
         - "--config=controller_manager_config.yaml"
         volumeMounts:
@@ -67,11 +58,6 @@ spec:
           subPath: controller_manager_config.yaml
       volumes:
       - name: manager-config
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-              - ALL
         configMap:
           name: manager-config
 `
@@ -57,17 +57,8 @@ metadata:
 spec:
   template:
     spec:
-      securityContext:
-        runAsNonRoot: true
-        seccompProfile:
-          type: RuntimeDefault
       containers:
       - name: manager
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-              - ALL
         ports:
         - containerPort: 9443
           name: webhook-server
 
@@ -72,6 +72,8 @@ spec:
     spec:
       securityContext:
         runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       containers:
       - command:
         - /manager
@@ -83,6 +85,9 @@ spec:
         name: manager
         securityContext:
           allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
         livenessProbe:
           httpGet:
             path: /healthz
 
@@ -52,17 +52,8 @@ metadata:
 spec:
   template:
     spec:
-      securityContext:
-        runAsNonRoot: true
-        seccompProfile:
-          type: RuntimeDefault		
       containers:
       - name: kube-rbac-proxy
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-              - ALL
         image: gcr.io/kubebuilder/kube-rbac-proxy:v0.11.0
         args:
         - "--secure-listen-address=0.0.0.0:8443"
 
@@ -48,17 +48,8 @@ metadata:
 spec:
   template:
     spec:
-      securityContext:
-        runAsNonRoot: true
-        seccompProfile:
-          type: RuntimeDefault
       containers:
       - name: manager
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-              - ALL
         ports:
         - containerPort: 9443
           name: webhook-server
 
@@ -84,7 +84,7 @@ var _ = Describe("kubebuilder", func() {
 				kbc.UninstallCertManager(true)
 			})
 
-			It("should generate a runnable project", func() {
+			It("should generate a runnable project go/v2 with default SA", func() {
 				// go/v3 uses a unqiue-per-project service account name,
 				// while go/v2 still uses "default".
 				tmp := kbc.Kubectl.ServiceAccount
@@ -106,30 +106,39 @@ var _ = Describe("kubebuilder", func() {
 				kbc.UninstallCertManager(false)
 			})
 
-			It("should generate a runnable project", func() {
+			It("should generate a runnable project go/v3 with v1 CRDs and Webhooks", func() {
 				// Skip if cluster version < 1.16, when v1 CRDs and webhooks did not exist.
-				if srvVer := kbc.K8sVersion.ServerVersion; srvVer.GetMajorInt() <= 1 && srvVer.GetMinorInt() < 17 {
-					Skip(fmt.Sprintf("cluster version %s does not support v1 CRDs or webhooks", srvVer.GitVersion))
+				// Skip if cluster version < 1.19, because securityContext.seccompProfile only works from 1.19
+				// Otherwise, unknown field "seccompProfile" in io.k8s.api.core.v1.PodSecurityContext will be faced
+				if srvVer := kbc.K8sVersion.ServerVersion; srvVer.GetMajorInt() <= 1 && srvVer.GetMinorInt() < 19 {
+					Skip(fmt.Sprintf("cluster version %s does not support v1 CRDs or webhooks"+
+						"and securityContext.seccompProfile", srvVer.GitVersion))
 				}
 
 				GenerateV3(kbc, "v1")
 				Run(kbc)
 			})
 			It("should generate a runnable project with the golang base plugin v3 and kustomize v4-alpha", func() {
 				// Skip if cluster version < 1.16, when v1 CRDs and webhooks did not exist.
-				if srvVer := kbc.K8sVersion.ServerVersion; srvVer.GetMajorInt() <= 1 && srvVer.GetMinorInt() < 17 {
-					Skip(fmt.Sprintf("cluster version %s does not support v1 CRDs or webhooks", srvVer.GitVersion))
+				// Skip if cluster version < 1.19, because securityContext.seccompProfile only works from 1.19
+				// Otherwise, unknown field "seccompProfile" in io.k8s.api.core.v1.PodSecurityContext will be faced
+				if srvVer := kbc.K8sVersion.ServerVersion; srvVer.GetMajorInt() <= 1 && srvVer.GetMinorInt() < 19 {
+					Skip(fmt.Sprintf("cluster version %s does not support v1 CRDs or webhooks "+
+						"and securityContext.seccompProfile", srvVer.GitVersion))
 				}
 
 				GenerateV3WithKustomizeV2(kbc, "v1")
 				Run(kbc)
 			})
 			It("should generate a runnable project with v1beta1 CRDs and Webhooks", func() {
 				// Skip if cluster version < 1.15, when `.spec.preserveUnknownFields` was not a v1beta1 CRD field.
+				// Skip if cluster version < 1.19, because securityContext.seccompProfile only works from 1.19
+				// Otherwise, unknown field "seccompProfile" in io.k8s.api.core.v1.PodSecurityContext will be faced
 				// Skip if cluster version >= 1.22 because pre v1 CRDs and webhooks no longer exist.
-				if srvVer := kbc.K8sVersion.ServerVersion; srvVer.GetMajorInt() <= 1 && srvVer.GetMinorInt() < 16 ||
+				if srvVer := kbc.K8sVersion.ServerVersion; srvVer.GetMajorInt() <= 1 && srvVer.GetMinorInt() < 19 ||
 					srvVer.GetMajorInt() <= 1 && srvVer.GetMinorInt() >= 22 {
-					Skip(fmt.Sprintf("cluster version %s does not support project defaults", srvVer.GitVersion))
+					Skip(fmt.Sprintf("cluster version %s does not support project defaults "+
+						"and securityContext.seccompProfile", srvVer.GitVersion))
 				}
 
 				GenerateV3(kbc, "v1beta1")