PSA "restricted" - Pod Security Updates

[razo7]

In order to comply with the restricted PSA profile, the pod needs to have runAsNonRoot: true, and all containers need to have allowPrivilegeEscalation:false and drop all capabilities. Also the Dockerfile should set a USER.

On Kubernetes we would also need to set seccompProfile.type: RuntimeDefault. This will be added by a new make target bundle-k8s for community (k8s) releases, since it would break deployment on OCP 4.10 though. Therefore, it would be be empty by default.

Related docs:

• https://kubernetes.io/docs/concepts/security/pod-security-standards/
• https://kubernetes.io/docs/concepts/security/pod-security-admission/
• https://master.sdk.operatorframework.io/docs/best-practices/pod-security-standards/
• https://kubernetes.io/docs/setup/best-practices/enforcing-pod-security-standards/#adopt-a-multi-mode-strategy

[openshift-ci[bot]]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: razo7

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/medik8s/node-maintenance-operator/blob/main/OWNERS)~~ [razo7] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment

[beekhof]

/lgtm

[beekhof]

/lgtm