Pod violates PodSecurity "restricted:latest" - adhere to pod-security standards

[raelyz]

Is your feature request related to a problem? Please describe.

We are currently running our applications in kubernetes namespaces with pod securiry standards configured with the Restricted policy. https://kubernetes.io/docs/concepts/security/pod-security-standards/

I noticed a previous issue opened which attempted to resolve the problem but it seems that a few more changes are requried. #130

I am currently running the APM attacher v1.1.3 and am encountering the error message below.

Error creating: pods "my-app-7cfd766dc8-kk4hq" is forbidden: violates PodSecurity "restricted:latest": runAsNonRoot != true (pod or container "apm-agent-nodejs" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "apm-agent-nodejs" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

Describe the solution you'd like
Patch.go be updated to include the securityContext runAsNonRoot=true and seccompProfile.type to RuntimeDefault

Describe alternatives you've considered
We have forked the apm attacher and modified the code to get it to work for now since it is a POC but ideally we would want to avoid the maintenance overhead.

[toms-place]

@raelyz - those security defaults can be set on the deployment scope:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: your-app
spec:
  ...
  template:
    spec:
      ...
      securityContext:
        runAsNonRoot: true
        runAsUser: 1001
        seccompProfile:
          type: RuntimeDefault

so basically your app needs to have those settings as well and then it will work.