Please fix pod security context

[bartwitkowski]

Hi,

I've talked with some of you during Kubecon '24 in Paris about this but still no changes in your Helm chart.

In short: Current S1 Helm template has Kubernetes pod securityContext settings with lots of defaults. Those settings are not wrong (the defaults are specified in Kubernetes documentation), but because they are not set explicite thus they are visible, for example, in Microsoft Azure Defender Recommendations.

Could you apply correct securityContext configuration? If not, then please write why it is bad idea...

Running quick script to determine the configured options give us:

pod: sentinelone-agent

      PodSecurityContext:
        runAsGroup: 1000
        fsGroup: <no value>
        runAsNonRoot: <no value>
        runAsUser: 1000

    container name: s1-agent
    image: xx.azurecr.io/s1agent:23.3.2-x86_64
        allowPrivilegeEscalation: <no value>
        capabilities: map[add:[DAC_OVERRIDE DAC_READ_SEARCH FOWNER SETGID SETUID SYS_ADMIN SYS_PTRACE SYS_RESOURCE SYSLOG SYS_CHROOT CHOWN SYS_MODULE KILL NET_ADMIN NET_RAW] drop:[all]]
        privileged: <no value>
        readOnlyRootFilesystem: <no value>
        runAsGroup: <no value>
        runAsNonRoot: <no value>
        runAsUser: <no value>

pod: sentinelone-helper-86995dddb6-7282t
    PodSecurity Context is not set

    container name: helper
    image: xx.azurecr.io/s1helper:23.3.2-x86_64
        allowPrivilegeEscalation: <no value>
        privileged: <no value>
        readOnlyRootFilesystem: <no value>
        runAsGroup: 1000
        runAsNonRoot: <no value>
        runAsUser: 1000