fix(deploy) increase container security

Change default values to run containers with read-only file system and
non-root user for both kong and postgres deployments.

Signed-off-by: Gerald Pape <[email protected]>

.kube-linter.yaml

@@ -1,8 +1,4 @@
 checks:
   exclude:
-    # TODO: exclude no rule
-    # https://github.com/Kong/charts/issues/753
-    - "no-read-only-root-fs"
-    - "run-as-non-root"
     - "unset-cpu-requirements"
     - "unset-memory-requirements"

charts/kong/CHANGELOG.md

@@ -5,6 +5,8 @@
 ### Changes
 
 * Added support for ServiceMonitor relabelings allowing labels manipulation before scraping.
+* Run containers with read-only file system and non-root user to increase container and pod security.
+  [#1057](https://github.com/Kong/charts/pull/1057)
 
 ### Breaking changes
 
@@ -246,27 +248,27 @@
 
 ## 2.26.5
 
-### Fixed 
+### Fixed
 
 * Kuma ServiceAccount Token hints and volumes are also available in migrations
   Pods.
   [#877](https://github.com/Kong/charts/pull/877)
 
 ## 2.26.4
 
-### Fixed 
+### Fixed
 
-* updated `admin_api_uri` to `admin_gui_api_url` as per [kong documentation](https://docs.konghq.com/gateway/3.4.x/reference/configuration/#admin_api_uri). 
+* updated `admin_api_uri` to `admin_gui_api_url` as per [kong documentation](https://docs.konghq.com/gateway/3.4.x/reference/configuration/#admin_api_uri).
 
 ## 2.26.3
 
-### Fixed 
+### Fixed
 
 * Enabled Service and Ingress in Kong Manager for non enterprise users.
 
 ## 2.26.2
 
-### Fixed 
+### Fixed
 
 * Add missing CRD KongConsumerGroup and extend status subresource for CRDs
 

charts/kong/README.md

@@ -899,11 +899,11 @@ On the Gateway release side, set either `admin.tls.client.secretName` to the nam
 | podDisruptionBudget.minAvailable   | Represents the number of Pods that must be available (integer or percentage)          |                     |
 | podSecurityPolicy.enabled          | Enable podSecurityPolicy for Kong                                                     | `false`             |
 | podSecurityPolicy.labels           | Labels to add to podSecurityPolicy for Kong                                           | `{}`             |
-| podSecurityPolicy.annotations      | Annotations to add to podSecurityPolicy for Kong                                      | `{}`             |
+| podSecurityPolicy.annotations      | Annotations to add to podSecurityPolicy for Kong                                      | `{ "seccomp.security.alpha.kubernetes.io/allowedProfileNames": "runtime/default" }`             |
 | podSecurityPolicy.spec             | Collection of [PodSecurityPolicy settings](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#what-is-a-pod-security-policy) | |
 | priorityClassName                  | Set pod scheduling priority class for Kong pods                                       | `""`                |
 | secretVolumes                      | Mount given secrets as a volume in Kong container to override default certs and keys. | `[]`                |
-| securityContext                    | Set the securityContext for Kong Pods                                                 | `{}`                |
+| securityContext                    | Set the securityContext for Kong Pods                                                 | See values.yaml     |
 | containerSecurityContext           | Set the securityContext for Containers                                                | See values.yaml     |
 | serviceMonitor.enabled             | Create ServiceMonitor for Prometheus Operator                                         | `false`             |
 | serviceMonitor.interval            | Scraping interval                                                                     | `30s`               |