security: Drop capabilities and enable seccomp

Further restricts the SecurityContext that the controller runs under, by enabling the default seccomp profile and dropping all linux capabilities.
This was set at container-level to ensure backwards compatibility with
use cases in which sidecars are injected into the source-controller pod
without setting less restrictive settings.

BREAKING CHANGE: The use of new seccomp API requires Kubernetes 1.19.

Co-authored-by: Sanskar Jaiswal <[email protected]>
Signed-off-by: Paulo Gomes <[email protected]>

Author: Paulo Gomes

Dockerfile

@@ -91,8 +91,8 @@ FROM debian:bookworm-slim as controller
 LABEL org.opencontainers.image.source="https://github.com/fluxcd/source-controller"
 
 # Configure user
-RUN groupadd controller && \
-    useradd --gid controller --shell /bin/sh --create-home controller
+RUN addgroup --gid 65532 controller && \
+	useradd -u 65532 -s /sbin/nologin -g controller controller
 
 ARG TARGETPLATFORM
 RUN apt update && apt install -y ca-certificates

config/manager/deployment.yaml

@@ -20,9 +20,9 @@ spec:
         prometheus.io/port: "8080"
     spec:
       terminationGracePeriodSeconds: 10
-      # Required for AWS IAM Role bindings
-      # https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html
       securityContext:
+        # Required for AWS IAM Role bindings
+        # https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html
         fsGroup: 1337
       containers:
       - name: manager
@@ -31,6 +31,10 @@ spec:
         securityContext:
           allowPrivilegeEscalation: false
           readOnlyRootFilesystem: true
+          capabilities:
+            drop: [ "ALL" ]
+          seccompProfile:
+            type: RuntimeDefault
         ports:
           - containerPort: 9090
             name: http