Pod security updates

[slintes]

In order to comply with the restricted PSA profile, the pod needs to have
runAsNonRoot: true, and all containers need to have
allowPrivilegeEscalation:false and drop all caps. Also the Dockerfile should
set a USER.

On k8s we would also need to set seccompProfile.type: RuntimeDefault.
That would break deployment on OCP 4.10 though. So leave it empty by default,
which is fine also on OCP 4.11+.

For community (k8s) releases, there is a new make target bundle-k8s,
which adds the seccompProfile to the deployment.

Releated docs:
https://kubernetes.io/docs/concepts/security/pod-security-standards/
https://kubernetes.io/docs/concepts/security/pod-security-admission/
https://master.sdk.operatorframework.io/docs/best-practices/pod-security-standards/

ECOPROJECT-811

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: slintes

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [slintes]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[slintes]

/hold

check logs for warnings, old example:

Warning: would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "kube-rbac-proxy" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "kube-rbac-proxy", "manager" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "kube-rbac-proxy", "manager" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "kube-rbac-proxy", "manager" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

Seems at least in the past there was a warning for missing seccompProfile. Check if it's still there, and if so what to do about it (setting it would break OCP <= 4.10). My understanding is that it's ok.

[beekhof]

/lgtm
Priority is making it work for 4.11+, we can revisit for the 4.10 back port if necessary

[slintes]

Can't find anything in the logs complaining about missing seccomProfile 🤷🏼‍♂️ So hopefully we are lucky and can use this for all OCP versions :)

/hold cancel
/skip

[slintes]

trying to wake up tide

/hold

[slintes]

/hold cancel

[slintes]

/skip

[slintes]

/check-required-labels

[slintes]

/test ?

[openshift-ci]

@slintes: The following commands are available to trigger required jobs:

• /test ci-index-my-bundle
• /test images
• /test openshift-e2e
• /test test

Use /test all to run all jobs.

In response to this:

/test ?

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[slintes]

/test test
/hold

[slintes]

/hold cancel

[slintes]

/check-required-labels