(dev-v2.6-archive) drop all capabilities except CHOWN for the init container named init-chown-data

(partially cherry picked from commit a4d91ecd3e)

packages/rancher-grafana/generated-changes/patch/templates/podsecuritypolicy.yaml.patch

@@ -1,6 +1,6 @@
 --- charts-original/templates/podsecuritypolicy.yaml
 +++ charts/templates/podsecuritypolicy.yaml
-@@ -5,13 +5,9 @@
+@@ -5,19 +5,27 @@
    name: {{ template "grafana.fullname" . }}
    labels:
      {{- include "grafana.labels" . | nindent 4 }}
@@ -17,3 +17,23 @@
  spec:
    privileged: false
    allowPrivilegeEscalation: false
+   requiredDropCapabilities:
+-    # Default set from Docker, with DAC_OVERRIDE and CHOWN
+-      - ALL
++    # The list comes from K8s' pod security standards, with only CHOWN left
++    # ref: https://kubernetes.io/docs/concepts/security/pod-security-standards/
++    - AUDIT_WRITE
++    - DAC_OVERRIDE
++    - FOWNER
++    - FSETID
++    - KILL
++    - MKNOD
++    - NET_BIND_SERVICE
++    - SETFCAP
++    - SETGID
++    - SETPCAP
++    - SETUID
++    - SYS_CHROOT
+   volumes:
+     - 'configMap'
+     - 'emptyDir'

packages/rancher-webhook/package.yaml

@@ -1,2 +1,2 @@
-url: https://github.com/rancher/webhook/releases/download/v0.2.2/rancher-webhook-0.2.2.tgz
+url: https://github.com/rancher/webhook/releases/download/v0.2.2-rc2/rancher-webhook-0.2.2-rc2.tgz
 version: 1.0.2