)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":5890,"name":"Doug Goldstein","email":"cardoe@cardoe.com","username":"cardoe"},"change_message_id":"93146f464b54c71dc7cfc04caeccc04e6b8cc743","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":2,"id":"a791bb39_aeb65aba","updated":"2026-04-23 14:02:44.000000000","message":"I think we set the \"other\" bit to 0 always. I\u0027m not really sure there\u0027s value in making this configurable because it\u0027ll just add complexity when we should lock things down by default.","commit_id":"21236b7e5bad7403944f8daf16c40ecb1bfee59f"},{"author":{"_account_id":36716,"name":"Kyuyeong Lee","display_name":"Kyuyeong Lee","email":"kyu0.lee@samsung.com","username":"kyu0"},"change_message_id":"51e2831c90a467c29f09b2e97ad0819a33ed0d11","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"3ca08787_f6d8ac34","updated":"2026-04-23 04:42:43.000000000","message":"recheck openstack-helm-octavia-2026-1-ubuntu_noble","commit_id":"21236b7e5bad7403944f8daf16c40ecb1bfee59f"},{"author":{"_account_id":36716,"name":"Kyuyeong Lee","display_name":"Kyuyeong Lee","email":"kyu0.lee@samsung.com","username":"kyu0"},"change_message_id":"9bcd65d155ce0b3b6a304886a8ae078ccf072761","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"d52bb153_ba57df9a","in_reply_to":"5d78cc0d_a99e7edf","updated":"2026-04-27 10:01:54.000000000","message":"Thanks for the clarification. I\u0027ve updated the change to follow the PTG decision - using stricter hardcoded defaults instead of making this configurable.","commit_id":"21236b7e5bad7403944f8daf16c40ecb1bfee59f"},{"author":{"_account_id":7156,"name":"Mathieu Gagné","email":"mgagne@calavera.ca","username":"mgagne"},"change_message_id":"2a81b1f4b2bed07677230e7d9f32bc30fe2caf2a","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":2,"id":"5d78cc0d_a99e7edf","in_reply_to":"71ba7c76_2ff36fa1","updated":"2026-04-24 13:53:21.000000000","message":"This topic was discussed during the PTG and we agreed that 1) is the preferred approach.","commit_id":"21236b7e5bad7403944f8daf16c40ecb1bfee59f"},{"author":{"_account_id":36716,"name":"Kyuyeong Lee","display_name":"Kyuyeong Lee","email":"kyu0.lee@samsung.com","username":"kyu0"},"change_message_id":"7452ccd44bad8175fd464cffaefc769e609b4289","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":2,"id":"71ba7c76_2ff36fa1","in_reply_to":"a791bb39_aeb65aba","updated":"2026-04-24 05:51:43.000000000","message":"Could you help me understand the recommended approach? The CIS Benchmark requires specific permission settings (e.g., 640 for secrets) that differ from our current defaults. Should we:\n\n1. Hardcode stricter permissions by default (e.g., 0640 for secrets, 0644 for configmaps)?\n2. Keep current defaults but provide a way to override for security compliance?\n3. Use a different approach to meet CIS requirements?\n\nWhat would be the preferred solution here?","commit_id":"21236b7e5bad7403944f8daf16c40ecb1bfee59f"},{"author":{"_account_id":36716,"name":"Kyuyeong Lee","display_name":"Kyuyeong Lee","email":"kyu0.lee@samsung.com","username":"kyu0"},"change_message_id":"76f0c4e0e2255c272d4cf9a141054a5184b83036","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"0a9a02dc_797a434c","updated":"2026-04-30 06:00:36.000000000","message":"recheck openstack-helm-compute-kit-2025-1-ubuntu_noble","commit_id":"99aab00b83132d926fa17cbdf76d1039f5e04a6e"},{"author":{"_account_id":36716,"name":"Kyuyeong Lee","display_name":"Kyuyeong Lee","email":"kyu0.lee@samsung.com","username":"kyu0"},"change_message_id":"3436ab30cf418eaa8af939b8406dd3c6f4610131","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"589d86f4_24743880","updated":"2026-05-04 08:44:04.000000000","message":"recheck openstack-helm-compute-kit-2025-1-ubuntu_noble","commit_id":"99aab00b83132d926fa17cbdf76d1039f5e04a6e"},{"author":{"_account_id":36716,"name":"Kyuyeong Lee","display_name":"Kyuyeong Lee","email":"kyu0.lee@samsung.com","username":"kyu0"},"change_message_id":"16494ca8151eaac3f28dbbc1e8a7f219caaa7f9c","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"7bc7c4b1_c36f5d06","updated":"2026-04-28 01:14:10.000000000","message":"recheck openstack-helm-compute-kit-2025-1-ubuntu_noble","commit_id":"99aab00b83132d926fa17cbdf76d1039f5e04a6e"},{"author":{"_account_id":36716,"name":"Kyuyeong Lee","display_name":"Kyuyeong Lee","email":"kyu0.lee@samsung.com","username":"kyu0"},"change_message_id":"975bf9a525694a31033176707f301c1bfddf667b","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"e6f8e353_ea1486ea","updated":"2026-04-30 04:42:40.000000000","message":"recheck openstack-helm-compute-kit-2025-1-ubuntu_noble","commit_id":"99aab00b83132d926fa17cbdf76d1039f5e04a6e"}],"neutron/values.yaml":[{"author":{"_account_id":3009,"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","username":"kozhukalov"},"change_message_id":"3e1d00b4e0a0383a095823595dbad18f77493a48","unresolved":true,"context_lines":[{"line_number":693,"context_line":"    # Default mode for secrets (decimal, e.g., 416 \u003d 0640, 292 \u003d 0444)"},{"line_number":694,"context_line":"    # This allows operators to meet security compliance requirements"},{"line_number":695,"context_line":"    # for file permissions (e.g., CIS Kubernetes Benchmark)"},{"line_number":696,"context_line":"    defaultMode: 292  # 0444 (r--r--r--)"},{"line_number":697,"context_line":"  configmaps:"},{"line_number":698,"context_line":"    # Default mode for configmaps (decimal, e.g., 420 \u003d 0644, 365 \u003d 0555)"},{"line_number":699,"context_line":"    # This allows operators to meet security compliance requirements"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"d138e35f_5eeb37de","line":696,"updated":"2026-04-22 21:24:15.000000000","message":"This contradicts with the common pattern of managing pod parameters per service.","commit_id":"eae3925d39f3d6e455912d4d1cf70887950ea75b"},{"author":{"_account_id":36716,"name":"Kyuyeong Lee","display_name":"Kyuyeong Lee","email":"kyu0.lee@samsung.com","username":"kyu0"},"change_message_id":"8e0eaef3d753a80cd62a700ee62e0fb237ad12db","unresolved":false,"context_lines":[{"line_number":693,"context_line":"    # Default mode for secrets (decimal, e.g., 416 \u003d 0640, 292 \u003d 0444)"},{"line_number":694,"context_line":"    # This allows operators to meet security compliance requirements"},{"line_number":695,"context_line":"    # for file permissions (e.g., CIS Kubernetes Benchmark)"},{"line_number":696,"context_line":"    defaultMode: 292  # 0444 (r--r--r--)"},{"line_number":697,"context_line":"  configmaps:"},{"line_number":698,"context_line":"    # Default mode for configmaps (decimal, e.g., 420 \u003d 0644, 365 \u003d 0555)"},{"line_number":699,"context_line":"    # This allows operators to meet security compliance requirements"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"6d49c03f_a82d6495","line":696,"in_reply_to":"d138e35f_5eeb37de","updated":"2026-04-23 02:29:17.000000000","message":"Thank you for the feedback.\nI\u0027ve updated the patch to follow the upstream pattern of managing pod parameters per service.\n\nI also have removed redundant comments that were duplicating information already clear from the context.","commit_id":"eae3925d39f3d6e455912d4d1cf70887950ea75b"}]}