Operator deployment missing security context for restricted PodSecurity policy

[broboa]

What steps did you take and what happened:

1. Deployed cluster-api-operator v0.24.1 using the operator-components.yaml from the GitHub release
2. Applied the manifest to a namespace with pod-security.kubernetes.io/enforce: restricted label
3. ReplicaSet failed to create pods with the following violations:
   • allowPrivilegeEscalation != false
   • unrestricted capabilities
   • runAsNonRoot != true
   • seccompProfile

What did you expect to happen:

The operator deployment should include a security context that satisfies the restricted PodSecurity policy (restricted:v1.32). Standard Kubernetes controllers don't require elevated privileges and should work with:

securityContext:
  allowPrivilegeEscalation: false
  runAsNonRoot: true
  capabilities:
    drop:
      - ALL
  seccompProfile:
    type: RuntimeDefault

Anything else you would like to add:

The cluster-api-operator controller-manager is a standard Kubernetes controller that watches and reconciles Cluster API resources. It doesn't need elevated privileges.

Controllers like this typically:

• Watch CRDs and create/update Kubernetes resources
• Make API calls to the Kubernetes API server (via RBAC, not container privileges)
• Run webhook servers for validation/mutation

None of these operations require privilege escalation, running as root, special Linux capabilities, or relaxed security profiles. The security restrictions are correct and should be standard for any controller workload.

This is a configuration gap in the upstream deployment manifests, not a legitimate need for elevated privileges.

Environment:

• Cluster-api-operator version: v0.24.1
• Kubernetes version: v1.32
• Deployment method: Raw manifest (operator-components.yaml from GitHub release)

/kind bug
/area security

[k8s-ci-robot]

This issue is currently awaiting triage.

If CAPI Operator contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[broboa]

/remove-lifecycle stale

[holgerson97]

/assign