Helm chart runs containers with higher privilege by default

[aaguiarz]

Could the defaults for all install scripts be set to run the openfga server with limited permissions?

In the case of helm chart, this would achieve:

• Not running server as root
• Not allowing privilege escalation
• Not allowing access to system calls unless required
• Setting filesystem to readonly
• Limiting access to mounted filesystems

This would greatly reduce the attack surface area.

[evankanderson]

It may be worth attempting to run containers under the restricted PodSecurityAdmission level, if possible. While this is not strictly required, it should be enough for most "normal" applications, and represents a substantial threat reduction over the Kubernetes defaults.