@jeffv reported an issue enabling ztunnel in a cluster that did not use `test-values.yaml` which resulted in ztunnel pods from being blocked by ``` disallow-privilege-escalation: │ │ autogen-disallow-privilege-escalation: 'validation failure: validation error: Privilege │ │ escalation is disallowed. The fields spec.containers[*].securityContext.allowPrivilegeEscalation, │ │ spec.initContainers[*].securityContext.allowPrivilegeEscalation, and spec.ephemeralContainers[*].securityContext.allowPrivilegeEscalation │ │ must be undefined or set to `false`. rule autogen-disallow-privilege-escalation │ │ failed at path /securityContext/allowPrivilegeEscalation/' ``` He was able to fix by adding additional content to the ztunnel policy exception: ``` exceptions: - policyName: disallow-privilege-escalation ruleNames: - disallow-privilege-escalation - autogen-disallow-privilege-escalation <--- New match: any: - resources: kinds: - Pod - DaemonSet <--- New names: - ztunnel <--- New - ztunnel-* namespaces: - istio-system ``` The reason for the discrepancy is because our test environments configure a [number of test exclusions](https://repo1.dso.mil/big-bang/bigbang/-/blob/master/tests/test-values.yaml#L317-334) to the policies, which result in autogen policies not being generated for `disallow-privilege-escalation`. You can see mention of this [here](https://kyverno.io/docs/policy-types/cluster-policy/autogen/) - "Kyverno skips generating Pod controller rules whenever the following resources fields/objects are specified in a match or exclude block as these filters may not be applicable to Pod controllers" We need to update the policy exceptions that account for the autogen rules. We also should consider removing the exclusions which result in different behavior than a typical user would experience.