Run apiserver-webhook containers with the 'nobody' user

The apiserver-webhook containers should run with a non-root user when
possible

Change-Id: Ia56794e4f39423cbb642c3aa518649abc2a51d5c

charts/apiserver-webhook/templates/deployment.yaml

@@ -118,6 +118,7 @@ spec:
         configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
     spec:
       dnsPolicy: ClusterFirst
+{{ dict "envAll" $envAll "application" "apiserver_webhook" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       containers:
         - name: apiserver
           image: {{ .Values.images.tags.apiserver }}

charts/apiserver-webhook/values.yaml

@@ -247,6 +247,10 @@ pod:
     kubernetes_keystone_webhook_tests:
       init_container: null
       kubernetes_keystone_webhook_tests: null
+  security_context:
+    apiserver_webhook:
+      pod:
+        runAsUser: 65534
 conf:
   paths:
     base: '/etc/webhook_apiserver/'