Adding securityContext

[jtyr]

This PR is adding securityContext to make the Jobs created by this controller more secure. The default securityContext is set to comply with the Restricted Pod Security Standard profile but it can be further tweaked via the podSecurityContext and the securityContext fields of the HelmChart Custom Resource. Jobs created by the controller are further hardened by enabling readOnlyRootFilesystem and enabling write access only to tmpfs mounts /home/klipper-helm/.(helm|cache|config).

[brandond]

nits/questions

[jtyr]

Thanks for the review. All issues should be fixed now.

[brandond]

Can you also call out more specifically the other changes in the PR description? Namely, that in addition to making the SecurityContexts configurable, it also hardens the default values by:

• Enabling ReadOnlyRootFilesystem
• Enabling RunAsNonRoot
• Dropping all capabilities
• Adding tmpfs mounts for /home/klipper-helm/.(helm|cache|config)

[brandond]

Looks like one of the tests is failing:

  [FAILED] Expected
      <v1.PodSecurityContext>: {
          SELinuxOptions: nil,
          WindowsOptions: nil,
          RunAsUser: nil,
          RunAsGroup: nil,
          RunAsNonRoot: false,
          SupplementalGroups: nil,
          FSGroup: nil,
          Sysctls: nil,
          FSGroupChangePolicy: nil,
          SeccompProfile: nil,
      }
  to equal
      <v1.PodSecurityContext>: {
          SELinuxOptions: nil,
          WindowsOptions: nil,
          RunAsUser: nil,
          RunAsGroup: nil,
          RunAsNonRoot: false,
          SupplementalGroups: nil,
          FSGroup: nil,
          Sysctls: nil,
          FSGroupChangePolicy: nil,
          SeccompProfile: {
              Type: "RuntimeDefault",
              LocalhostProfile: nil,
          },
      }