Need the possibility to set a securityContext for both pod and container for all deployments (pega, srs, clustering-service, etc.)

[rbogendoerfer]

Is your feature request related to a problem? Please describe. Many clients require that the security settings for Kubernetes deployments are very strict. One example is setting the Pod Security Admission to restricted:

apiVersion: v1
kind: Namespace
metadata:
  name: pega
  labels:
    kubernetes.io/metadata.name: pega
    pod-security.kubernetes.io/enforce: restricted

Running the default deployment with those settings will result in an error message and prevent the deployment from starting:

W0527 15:11:19.454889  105539 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "srs-service" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "srs-service" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "srs-service" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "srs-service" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

Describe the solution you'd like For all deployments (pega tiers, srs, pega-hazelcast/clustering-service, Constellation appstatic and messaging, etc.) it should be possible to specify a securityContext for the pod (this is already in place for many deployments) and for the container!

Example:

    - name: "web"
      ...
      securityContext:
        runAsUser: 9001
        fsGroup: 0

      containerSecurityContext:
        allowPrivilegeEscalation: false
        capabilities:
          drop:
          - ALL
        runAsNonRoot: true
        seccompProfile:
          type: RuntimeDefault

Describe alternatives you've considered The only alternative that I can think of is downloading the helm charts and modifying the deployment templates.