From 9d5ea4a76f948537ed425107a236c416502879c4 Mon Sep 17 00:00:00 2001
From: Maksim An <maksiman@microsoft.com>
Date: Thu, 21 May 2026 17:37:27 -0700
Subject: [PATCH] [tooling]: add SIGKILL and SIGTERM to pause container signals

Security policy tool wasn't updated to include SIGKILL and SIGTERM
for pause container after the change to enforcement has been
made in the policy framework. This PR addresses that gap.

Signed-off-by: Maksim An <maksiman@microsoft.com>
---
 internal/tools/securitypolicy/helpers/helpers.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/internal/tools/securitypolicy/helpers/helpers.go b/internal/tools/securitypolicy/helpers/helpers.go
index 7c84f7dcd7..99f90b8ac4 100644
--- a/internal/tools/securitypolicy/helpers/helpers.go
+++ b/internal/tools/securitypolicy/helpers/helpers.go
@@ -7,6 +7,7 @@ import (
 	"os"
 	"strconv"
 	"strings"
+	"syscall"
 
 	"github.com/google/go-containerregistry/pkg/authn"
 	"github.com/google/go-containerregistry/pkg/name"
@@ -74,6 +75,10 @@ func DefaultContainerConfigs() []sp.ContainerConfig {
 		ImageName:     "k8s.gcr.io/pause:3.1",
 		Command:       []string{"/pause"},
 		AllowElevated: true,
+		Signals: []syscall.Signal{
+			syscall.SIGKILL,
+			syscall.SIGTERM,
+		},
 	}
 	return []sp.ContainerConfig{pause}
 }