Drydock: Add pod/container security context

This updates the drydock chart to include the pod
security context on the pod template. This changes the pod's
user from root to the nobody user instead

This also adds the container security context to set
allowPrivilegeEscalation to false and readOnlyRootFilesystem to true

Change-Id: I0882622e672e5918da82b58b76697b8974cf0b16

charts/drydock/templates/deployment.yaml

@@ -35,6 +35,7 @@ spec:
         configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
         configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
     spec:
+{{ dict "envAll" $envAll "application" "drydock" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       nodeSelector:
         {{ .Values.labels.api.node_selector_key }}: {{ .Values.labels.api.node_selector_value | quote }}
       serviceAccountName: {{ $serviceAccountName }}
@@ -48,6 +49,7 @@ spec:
           image: {{ .Values.images.tags.drydock }}
           imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "drydock" "container" "drydock_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           env:
             - name: 'MAAS_API_KEY'
               valueFrom:

charts/drydock/values.yaml

@@ -55,6 +55,14 @@ network:
         nginx.ingress.kubernetes.io/rewrite-target: /
 
 pod:
+  security_context:
+    drydock:
+      pod:
+        runAsUser: 65534
+      container:
+        drydock_api:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
   lifecycle:
     upgrades:
       deployments: