Review k8s pod-security-standards to match library

[nissessenap]

Took an initial look at the list https://kubernetes.io/docs/concepts/security/pod-security-standards/ and in general it looks very good.

I think we have missed to configure anything around restricting seccompProfile, seLinux and sysctls options.

[brsolomon-deloitte]

Error creating: pods "wait-for-crds-chg4r" is forbidden: violates PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "wait-for-crds" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "wait-for-crds" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "wait-for-crds" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "wait-for-crds" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

Related error when deploying this chart version v0.23.1 against EKS 1.26 on the Job/wait-for-crds resource.

[brsolomon-deloitte]

@nissessenap you can find a related PR here:

sighupio/gatekeeper-policy-manager#545

The issue here is that this chart's Job/wait-for-crds will fail if there is a Restricted PSS and there is no way to configure it otherwise using values.yaml.

[nissessenap]

Yeah i used it on a new cluster a few days ago and got the same issue. I don't work at Xenit any more but I'm sure they would be very happy to get a PR @brsolomon-deloitte if you have the possibility

[simongottschlag]

We are always happy to receive PRs! 😊🖖

Otherwise we'll take it as it comes up for ourselves in the process of validating the new versions. 👍