Add readOnlyRootFilesystem, dropCapabilities, RunAsNonRoot, to Container securityContext

Summary

Hi! It is best practice to give Kubernetes workloads as few privileges and rights as possible. So far this chart only includes runAsUser and FsGroup: 1000 for the container security context. To make the deployment more secure readOnlyRootFileSystem: true , capabilities: drop: ["ALL"] , RunAsNonRoot: true should be added.

Current behavior

So far this chart only includes runAsUser and FsGroup: 1000 for the container security context. To make the deployment more secure readOnlyRootFileSystem: true , capabilities: drop: ["ALL"] , RunAsNonRoot: true should be added. I will create a MR to add this.

Expected behavior

We can then set the values in Values.Yaml. example:

securityContext:
  capabilities:
    drop:
    - ALL
  runAsNonRoot: true
  readOnlyRootFilesystem: true
  runAsUser: 1000
  allowPrivilegeEscalation: false
  seccompProfile:
    type: RuntimeDefault

Versions

• Chart: (6.7.2)
• Platform:
  • Self-hosted: (Kubernetes)
• Kubernetes: (kubectl version)
  • Client:NA
  • Server:1.23.15
• Helm: (helm version)
  • Client:NA
  • Server:3.6.3

Relevant logs

example:

policy restrict-seccomp/autogen-restrict-seccomp fail: validation error: Use of custom Seccomp profiles is disallowed. The fields spec.securityContext.seccompProfile.type, spec.containers[].securityContext.seccompProfile.type, and spec.initContainers[].securityContext.seccompProfile.type must be set to RuntimeDefault or Localhost. rule autogen-restrict-seccomp[0] failed at path /spec/template/spec/securityContext/seccompProfile/ rule autogen-restrict-seccomp[1] failed at path /spec/template/spec/containers/0/securityContext/seccompProfile/