fix(deploy) increase container security

Change default values to run containers with read-only file system and
non-root user for both kong and postgres deployments.

Signed-off-by: Gerald Pape <[email protected]>

.kube-linter.yaml

@@ -1,8 +1,4 @@
 checks:
   exclude:
-    # TODO: exclude no rule
-    # https://github.com/Kong/charts/issues/753
-    - "no-read-only-root-fs"
-    - "run-as-non-root"
     - "unset-cpu-requirements"
     - "unset-memory-requirements"

charts/kong/CHANGELOG.md

@@ -11,6 +11,8 @@
   for use when the external Service and container listens should differ, such
   as when terminating TLS at a LoadBalancer.
   [#1021](https://github.com/Kong/charts/pull/1021)
+* Run containers with read-only file system and non-root user to increase container and pod security.
+  [#1057](https://github.com/Kong/charts/pull/1057)
 
 ## 2.38.0
 

charts/kong/README.md

@@ -898,11 +898,11 @@ On the Gateway release side, set either `admin.tls.client.secretName` to the nam
 | podDisruptionBudget.minAvailable   | Represents the number of Pods that must be available (integer or percentage)          |                     |
 | podSecurityPolicy.enabled          | Enable podSecurityPolicy for Kong                                                     | `false`             |
 | podSecurityPolicy.labels           | Labels to add to podSecurityPolicy for Kong                                           | `{}`             |
-| podSecurityPolicy.annotations      | Annotations to add to podSecurityPolicy for Kong                                      | `{}`             |
+| podSecurityPolicy.annotations      | Annotations to add to podSecurityPolicy for Kong                                      | `{ "seccomp.security.alpha.kubernetes.io/allowedProfileNames": "runtime/default" }`             |
 | podSecurityPolicy.spec             | Collection of [PodSecurityPolicy settings](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#what-is-a-pod-security-policy) | |
 | priorityClassName                  | Set pod scheduling priority class for Kong pods                                       | `""`                |
 | secretVolumes                      | Mount given secrets as a volume in Kong container to override default certs and keys. | `[]`                |
-| securityContext                    | Set the securityContext for Kong Pods                                                 | `{}`                |
+| securityContext                    | Set the securityContext for Kong Pods                                                 | See values.yaml     |
 | containerSecurityContext           | Set the securityContext for Containers                                                | See values.yaml     |
 | serviceMonitor.enabled             | Create ServiceMonitor for Prometheus Operator                                         | `false`             |
 | serviceMonitor.interval            | Scraping interval                                                                     | `30s`               |