OADP-5275 init plugin containers to have read only fs (#1752)

This adds ReadOnlyRootFilesystem to the init containers (plugins)

Also additional security context flags are applied to ensure
the init containers are using:
 - Privileged: false
 - AllowPrivilegeEscalation: false
 - ReadOnlyRootFilesystem: true

Signed-off-by: Michal Pryc <[email protected]>

Author: mpryc

internal/controller/velero.go

@@ -464,6 +464,11 @@ func (r *DataProtectionApplicationReconciler) appendPluginSpecificSpecs(veleroDe
 							Name:      "plugins",
 						},
 					},
+					SecurityContext: &corev1.SecurityContext{
+						ReadOnlyRootFilesystem:   ptr.To(true),
+						Privileged:               ptr.To(false),
+						AllowPrivilegeEscalation: ptr.To(false),
+					},
 				})
 
 			pluginNeedsCheck := providerNeedsDefaultCreds[pluginSpecificMap.ProviderName]
@@ -529,6 +534,11 @@ func (r *DataProtectionApplicationReconciler) appendPluginSpecificSpecs(veleroDe
 							Name:      "plugins",
 						},
 					},
+					SecurityContext: &corev1.SecurityContext{
+						ReadOnlyRootFilesystem:   ptr.To(true),
+						Privileged:               ptr.To(false),
+						AllowPrivilegeEscalation: ptr.To(false),
+					},
 				})
 		}
 	}

internal/controller/velero_test.go

@@ -323,6 +323,11 @@ var _ = ginkgo.Describe("Test ReconcileVeleroDeployment function", func() {
 
 func pluginContainer(name, image string) corev1.Container {
 	container := baseContainer
+	container.SecurityContext = &corev1.SecurityContext{
+		ReadOnlyRootFilesystem:   ptr.To(true),
+		Privileged:               ptr.To(false),
+		AllowPrivilegeEscalation: ptr.To(false),
+	}
 	container.Name = name
 	container.Image = image
 	return container