Proxy: Add pod/container security context

This updates the proxy chart to include the pod
security context on the pod template.

This also adds the container security context to set
readOnlyRootFilesystem flag to false

Change-Id: I4e6d2836aa9d548118937b6b176e06fbc4a8c7ee

charts/proxy/templates/daemonset.yaml

@@ -39,6 +39,7 @@ spec:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
         scheduler.alpha.kubernetes.io/critical-pod: ''
     spec:
+{{ dict "envAll" $envAll "application" "proxy" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       hostNetwork: true
       shareProcessNamespace: true
       dnsPolicy: Default
@@ -63,8 +64,7 @@ spec:
           - --v={{ .Values.proxy.logging.log_level }}
           {{- end }}
 {{ tuple $envAll $envAll.Values.pod.resources.proxy | include "helm-toolkit.snippets.kubernetes_resources" | indent 8 }}
-        securityContext:
+{{ dict "envAll" $envAll "application" "proxy" "container" "proxy" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 8 }}
-          privileged: true
         env:
           - name: KUBERNETES_SERVICE_HOST
             value: {{ .Values.kube_service.host }}

charts/proxy/values.yaml

@@ -18,6 +18,15 @@ manifests:
   rbac: true
 
 pod:
+  security_context:
+    proxy:
+      pod:
+        runAsUser: 65534
+      container:
+        proxy:
+          runAsUser: 0
+          privileged: true
+          readOnlyRootFilesystem: false
   lifecycle:
     upgrades:
       daemonsets: