add explicit securityContexts to the controller

chrischdi · chrischdi · commit 58a63b66a71c · 2023-04-05T19:03:32.000+02:00
This does not really change the configuration, it just makes it explicit and enforce
the defaults, except for the seccompPolicy which changes from Unconfined to RuntimeDefault.
Syscalls filtered by RuntimeDefault policy are 95% namespaced and require capabilities
(which we drop) in the first place, so no practical change there either.

This allows to be compatible to the restricted pod security admission profile.
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -37,6 +37,17 @@ spec:
           httpGet:
             path: /healthz
             port: healthz
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          runAsUser: 65532
+          runAsGroup: 65532
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       terminationGracePeriodSeconds: 10
       tolerations:
         - effect: NoSchedule
