Set PSA for MetalLB and EndpointCopierOperator

[atanasdinov]

We're currently deploying the plain MetalLB / ECO charts when a virtual IP address is specified. This is not working for CIS enabled clusters since those would then require additional values to be set:

Warning  FailedCreate  4m26s (x9 over 15m)  replicaset-controller  (combined from similar events): Error creating: pods "metallb-controller-778b7c89b6-45bdd" is forbidden: violates PodSecurity "restricted:latest": seccompProfile (pod or container "controller" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

Ensure that these charts can be properly deployed on such clusters (using profile: "cis" in the Kubernetes config file) and perhaps consider always using these defaults even for non-CIS ones.

[agracey]

https://docs.rke2.io/security/pod_security_standards#pod-security-standards

It looks like adding our own pss with metallb-system and ECO in the exempted list works and the second node joins once the speaker pod starts. I might take a moment later and role that into a EIB config to have a documented work around