PaloAltoNetworks · jfmontufar · Oct 1, 2025 · Oct 1, 2025 · Oct 1, 2025 · Oct 10, 2025
diff --git a/charts/konnector/Chart.yaml b/charts/konnector/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: konnector
 description: Deploys Palo Alto Networks' Cortex KSPM connector for advanced Kubernetes security posture management.
 type: application
-version: 1.0.20
+version: 1.0.21
 appVersion: "1.0.0"
 maintainers:
   - name: Palo Alto Networks - Cortex KSPM team

diff --git a/charts/konnector/templates/batch.yaml b/charts/konnector/templates/batch.yaml
@@ -36,9 +36,12 @@ spec:
     spec:
       serviceAccountName: {{ .Values.system.serviceAccount.name }}
       restartPolicy: "Never"
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
       containers:
         - name: helm-uninstall
-          image: alpine/helm:3.17.2
+          image: "{{ .Values.deleteJob.image.repository }}/{{ .Values.deleteJob.image.name }}{{- if .Values.deleteJob.image.tag }}:{{ .Values.deleteJob.image.tag }}{{- end }}{{- if .Values.deleteJob.image.digest }}@{{ .Values.deleteJob.image.digest }}{{- end }}"
           command: ["/bin/sh", "-c"]
           args:
             - |
@@ -56,6 +59,19 @@ spec:
                   echo -e "\033[33m{{ .Values.system.K8sManager.ReleaseName }} not found, skipping uninstall.\033[0m";
                   exit 0
                 fi
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            capabilities:
+              drop:
+              - ALL
+      {{- if .Values.deleteJob.secret.reuse }}
+      imagePullSecrets:
+      - name: {{ .Values.system.secrets.dockerSecret.name }}
+      {{- else if .Values.deleteJob.secret.name }}
+      imagePullSecrets:
+      - name: {{ .Values.deleteJob.secret.name }}
+      {{- end }}
      {{- with .Values.system.apps.tolerations }}
       tolerations:
         {{- toYaml . | nindent 8 }}

diff --git a/charts/konnector/templates/secret.yaml b/charts/konnector/templates/secret.yaml
@@ -12,6 +12,20 @@ stringData:
   sosToken: "--set-by-konnnector-at-runtime--"
   chapi: "--set-by-konnnector-at-runtime--"
 ---
+{{- if .Values.deleteJob.secret.create }}
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/dockerconfigjson
+metadata:
+  name: {{ .Values.deleteJob.secret.name }}
+  namespace: {{ .Values.namespace.name }}
+  labels:
+    {{- include "common.labels" . | nindent 4 }}
+data:
+  .dockerconfigjson: {{ .Values.deleteJob.secret.dockerPullSecret | default ( "{}" | b64enc ) }}
+{{- end }}
+---
+{{- if .Values.createPullSecret }}
 apiVersion: v1
 kind: Secret
 type: kubernetes.io/dockerconfigjson
@@ -22,7 +36,9 @@ metadata:
     {{- include "common.labels" . | nindent 4 }}
 data:
   .dockerconfigjson: {{ .Values.dockerPullSecret | default ( "{}" | b64enc ) }}
+{{- end }}
 ---
+{{- if .Values.distribution.createSecret }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -33,6 +49,7 @@ metadata:
 type: Opaque
 stringData:
   distribution-id: {{ .Values.distribution.id | required "The distribution.id value is required!" | quote }}
+{{- end }}
 ---
 apiVersion: v1
 kind: Secret

diff --git a/charts/konnector/values.yaml b/charts/konnector/values.yaml
@@ -19,10 +19,12 @@ namespace:
   name: pan  # Kubernetes namespace where resources will be deployed
 
 dockerPullSecret: ""  # Secret for pulling images from a private registry
+createPullSecret: true  # Create secret to pull images. Set to false if the secret is being created from external source
 
 distribution:
   id: "default-distribution-id"  # Retrieve distribution ID from Palo Alto Networks systems during installation
   url: "https://distributions.traps.paloaltonetworks.com"  # Retrieve distribution URL from Palo Alto Networks systems during installation
+  createSecret: true  # Create the secret corresponding to the distribuition id. Set to false if the secret is being created from external source
 
 optionalValues:
   CLUSTER_URI: ""    # Cluster URI should be set when metadata service is not reachable from the cluster
@@ -32,6 +34,19 @@ optionalValues:
 proxyValues:
   httpProxy: ""  # Optional proxy URL for external network access
   noProxy: "kubernetes,kubernetes.default.svc,.svc,.cluster.local"  # List of addresses/domains that should bypass the proxy
+
+deleteJob:  # These values correspond to a Job used for deleting resources
+  image:
+    repository: "docker.io"  # Repository where the image of is stored
+    name: "alpine/helm"  # Name of the image to be used
+    tag: "3.17.2"  # Tag for the image
+    digest: ""  # Image digest (optional)
+  secret:
+    reuse: false  # Reuse the pull secret from the KSPM Connector
+    create: false  # Create Secret to pull the deleteJob image. Set to true if not being exported from external vault
+    dockerPullSecret: ""  # Value of the pull secret if create is set to true and reuse to false
+    name: ""  # Name of the secret to  pull the deleteJob
+
 # ==========================
 # ### System Section ###
 # ==========================