Set securityContext for compliance with PSS "restricted"

[lindhe]

Description

This change makes the worker-beat pod compliant with the Pod Security Standard "restricted". For more information, please see: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted

There are still a handful of policy violations left:

W0212 13:13:00.741679    8975 warnings.go:70] would violate PodSecurity "restricted:latest": privileged (container "sysctl" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "sysctl" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "sysctl" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "sysctl" must set securityContext.runAsNonRoot=true), runAsUser=0 (container "sysctl" must not set runAsUser=0), seccompProfile (pod or container "sysctl" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0212 13:13:00.741685    8975 warnings.go:70] would violate PodSecurity "restricted:latest": privileged (container "sysctl" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "sysctl" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "sysctl" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "sysctl" must set securityContext.runAsNonRoot=true), runAsUser=0 (container "sysctl" must not set runAsUser=0), seccompProfile (pod or container "sysctl" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0212 13:13:00.742088    8975 warnings.go:70] would violate PodSecurity "restricted:latest": privileged (container "sysctl" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "sysctl" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "sysctl" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "sysctl" must set securityContext.runAsNonRoot=true), runAsUser=0 (container "sysctl" must not set runAsUser=0), seccompProfile (pod or container "sysctl" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0212 13:13:00.746932    8975 warnings.go:70] would violate PodSecurity "restricted:latest": privileged (container "sysctl" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "sysctl" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "sysctl" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "sysctl" must set securityContext.runAsNonRoot=true), runAsUser=0 (container "sysctl" must not set runAsUser=0), seccompProfile (pod or container "sysctl" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

These are, however, caused by the OpenSearch dependency, so I'll handle them in a separate PR since it's a bit more involved.

Apart from that, the changes are tested and seems to work.

Checklist

Ticks in all boxes and 🟢 on all GitHub actions status checks are required to merge:

• [x] I'm aware of the code of conduct.
• [x] I've created logical separate commits and followed the commit message format.
• [ ] I've added relevant test cases.
• [ ] I've added relevant documentation.
• [ ] I've marked translation strings (for relevant code).
• [ ] I've followed the CSS/JS and React guidelines (for relevant code).
• [ ] I've followed the web accessibility guidelines (for relevant code).
• [ ] I've followed the user interface guidelines (for relevant code).
• [ ] I've identified the copyright holder(s) and updated copyright headers for touched files (>15 lines contributions).
• [x] I've NOT included third-party code (copy/pasted source code or new dependencies).

Third-party code

If you've added third-party code (copy/pasted or new dependencies), please reach out to an architect.

Reminder

By using GitHub, you have already agreed to the GitHub’s Terms of Service including that:

1. You license your contribution under the same terms as the current repository’s license.
2. You agree that you have the right to license your contribution under the current repository’s license.

[lindhe]

Considering this, I am not sure it will ever be possible to install OpenSearch without violating the "restricted" security standard.

Since not everyone has PSS enforced, it may not be an issue. I think it's still nice to provide the opensearch dependency so it's available for development installations, but it should probably be hosted externally for prod deployments (where PSS is more likely to be enforced).