k8s 1.34 baseline PodSecurity cannot use host field in lifecycle handlers

[ImDevinC]

Running on k8s 1.34, if you set a PodSecurity level of restricted or baseline, the host field is not allowed to be set in lifecycle handlers. The operator injects the following:

lifecycle:
  preStop:
    httpGet:
      host: localhost  # Violates baseline AND restricted PSA
      path: /quitquitquit
      port: 9091

There is no way to override this without overriding the entire container object, so this ends up leading to the operator not being able to start the pods up.

https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.34.md#bug-or-regression-6

The baseline and restricted pod security admission levels now block setting the host field on probe and lifecycle handlers (kubernetes/kubernetes#125271, @tssurya) [SIG Auth, Node and Testing]

[ImDevinC]

We were able to work around this with a kyverno policy, but ideally this would be fixed upstream

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: remove-cloudsql-proxy-prestop-host
  annotations:
    policies.kyverno.io/title: Remove Cloud SQL Proxy preStop Host
    policies.kyverno.io/description: >-
      Kubernetes 1.34 introduced KEP #4940 which restricts the 'host' field in
      probes under the Baseline PodSecurity profile. The Cloud SQL Auth Proxy
      operator v1.7.x injects sidecar initContainers with probes using
      'host: localhost' which violates this policy. This mutating policy sets the
      host field to empty string (allowed by baseline) for Cloud SQL proxy
      sidecar containers (named csql-*). Autogen is disabled because the
      sidecar is only injected at Pod creation time by the operator webhook.
spec:
  rules:
    - name: remove-prestop-host
      match:
        any:
          - resources:
              kinds:
                - Pod
              selector:
                matchLabels:
                  app: keycloak
                  app.kubernetes.io/managed-by: keycloak-operator
      mutate:
        patchStrategicMerge:
          spec:
            initContainers:
              - (name): "csql-*"
                lifecycle:
                  preStop:
                    httpGet:
                      host: ""