[Helm] Expose container-level securityContext overrides for standalone using Helm #10670
Description
Describe the enhancement:
Add chart values to override the container securityContext for the Elastic Agent (separately per preset). This should allow operators to configure runAsNonRoot, runAsUser, allowPrivilegeEscalation, seccompProfile, and capability drops without post-render patches.
Describe a specific use case for the enhancement or feature:
Many clusters enforce least-privilege settings (e.g., Kubernetes Pod Security Standards). The current chart renders defaults that may not align with those constraints. Operators need a supported way to set container-level security controls such as dropping all capabilities and running as a non-root UID directly via values.yaml, avoiding custom patching or forks.
What is the definition of done?
values.yaml supports, for each preset (e.g., clusterWide, perNode), a block like:
agent:
presets:
clusterWide:
securityContext:
runAsNonRoot: true
runAsUser: 1000
allowPrivilegeEscalation: false
seccompProfile: { type: RuntimeDefault }
capabilities: { drop: ["ALL"] }
- Rendered Deployment/DaemonSet container spec applies these fields exactly (no implicit capabilities.add when capabilities.drop is provided).
- README documents the available securityContext fields with examples for least-privilege operation.