Make sveltos run with restricted pod-security profile

[networkhell]

Currently I am not able to run projectsveltos in a namespace that has pod-security.kubernetes.io/enforce: restricted enabled. The main reason for that is that:

• podSecurityProfiles are lacking a SeccompProfile (not a bug, but could be default)
• Configurable SecurityProfile of initContainers / Jobs is not implemented in the chart

Sample error messages:

113s        Warning   FailedCreate        replicaset/addon-controller-7d86947f96     Error creating: pods "addon-controller-7d86947f96-n5s7c" is forbidden: violates PodSecurity "restricted:v1.34": allowPrivilegeEscalation != false (container "initialization" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "initialization" must set securityContext.capabilities.drop=["ALL"])

51s         Warning   FailedCreate        job/register-mgmt-cluster-job              Error creating: pods "register-mgmt-cluster-job-vrxkq" is forbidden: violates PodSecurity "restricted:v1.34": runAsNonRoot != true (pod or container "register-mgmt-cluster" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "register-mgmt-cluster" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

If there are no technical objections e.g. the init jobs MUST run without dropped capabilities or hostPath volumes it would be easy to implement this and improve overall security of the deployment.

I am also willing to help with the implementation if valueable.

[gianlucam76]

Thank @networkhell

Yes we can tackle this one. There is no technical objection. When those components (init container in addon-controller and the register job) we forgot to set those properties. Thank you for raising this