chore: add security context for helm

Signed-off-by: Rory Z <[email protected]>

deploy/charts/emqx-operator/README.md

@@ -47,6 +47,9 @@ The following table lists the configurable parameters of the cert-manager chart
 | `serviceAccount.create` | If `true`, create a new service account | `true` |
 | `serviceAccount.name` | Service account to be used. If not set and `serviceAccount.create` is `true`, a name is generated using the fullname template |  |
 | `serviceAccount.annotations` | Annotations to add to the service account |  |
+| `podAnnotations` | Annotations to add to the pod | `{}` |
+| `podSecurityContext` | Security context for the pod | `{runAsNonRoot: true}` |
+| `containerSecurityContext` | Security context for the container | `{allowPrivilegeEscalation: false}` |
 | `resources` | CPU/memory resource requests/limits | `{}` |
 | `nodeSelector` | Node labels for pod assignment | `{}` |
 | `affinity` | Node affinity for pod assignment | `{}` |

deploy/charts/emqx-operator/templates/controller-manager.yaml

@@ -67,13 +67,13 @@ spec:
         resources:
           {{- toYaml .Values.resources | nindent 12 }}
         securityContext:
-          allowPrivilegeEscalation: false
+          {{- toYaml .Values.containerSecurityContext | nindent 12 }}
         volumeMounts:
         - mountPath: /tmp/k8s-webhook-server/serving-certs
           name: cert
           readOnly: true
       securityContext:
-        runAsNonRoot: true
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
       serviceAccountName: {{ include "emqx-operator.serviceAccountName" . }}
       terminationGracePeriodSeconds: 10
       volumes:

deploy/charts/emqx-operator/values.yaml

@@ -38,6 +38,12 @@ serviceAccount:
 
 podAnnotations: {}
 
+podSecurityContext:
+  runAsNonRoot: true
+
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+
 resources:
   limits:
     cpu: 500m