From 0458d33698368e4b86f4dec9ca9124928d61c611 Mon Sep 17 00:00:00 2001
From: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
Date: Sun, 11 Jan 2026 01:37:43 +0800
Subject: [PATCH] Test: when hardening test needs enabled csr approve

Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
---
 tests/files/ubuntu24-calico-all-in-one-hardening.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/tests/files/ubuntu24-calico-all-in-one-hardening.yml b/tests/files/ubuntu24-calico-all-in-one-hardening.yml
index 024f320d3..7a6a63f50 100644
--- a/tests/files/ubuntu24-calico-all-in-one-hardening.yml
+++ b/tests/files/ubuntu24-calico-all-in-one-hardening.yml
@@ -75,7 +75,10 @@ etcd_deployment_type: kubeadm
 kubelet_authentication_token_webhook: true
 kube_read_only_port: 0
 kubelet_rotate_server_certificates: true
-kubelet_csr_approver_enabled: false
+kubelet_csr_approver_enabled: true # For hydrophone
+kubelet_csr_approver_values:
+  # Do not check DNS resolution in testing (not recommended in production)
+  bypassDnsResolution: true
 kubelet_protect_kernel_defaults: true
 kubelet_event_record_qps: 1
 kubelet_rotate_certificates: true