Trivy recommended hardening

[jcpunk]

These hardening bits were recommended by the trivy scanner.

https://github.com/aquasecurity/trivy
https://github.com/aquasecurity/trivy-operator

[derekbit]

@jcpunk
Thanks for your contribution.
Could you please link me to a reference for the feature? Thank you.

[derekbit]

BTW, could you help resolve the conflict? Thank you.

[jcpunk]

I've added links to the trivy tooling and resolved the conflicts.

Just to verify, can this container run with any of the following security settings?

runAsNonRoot: true
allowPrivilegeEscalation: false
capabilities:
   drop: ["ALL"]
runAsUser: 65534
runAsGroup: 65534
readOnlyRootFilesystem: true

Their existence in the values.yaml even as comments seems incorrect if they are incompatible.

If the pod requires run as root with some capabilities, that should probably be noted somewhere...

[derekbit]

Not sure if the hardening can introduce side effect?
I think we can gray the block out and leave a comment here. Users can enable it by updating the values.yaml.
@jcpunk WDYT?

[jcpunk]

I'd prefer the defaults to have the most hardening that is safe to apply. I'm not super familiar with what the code actually needs...

In prod I'm running with the sandbox enabled (what is actually in the patch) and that seems to work.

I'd love to have these too:

runAsNonRoot: true
allowPrivilegeEscalation: false
capabilities:
   drop: ["ALL"]
runAsUser: 65534
runAsGroup: 65534
readOnlyRootFilesystem: true

but I don't have a place to test them at this point. Do you know if any of these are workable?

[github-actions]

This PR is stale because it has been open 45 days with no activity. Remove stale label or comment or this will be closed in 10 days.

[jcpunk]

I'd still like to see some version of this.

[derekbit]

Let's make it in v0.0.28.

Let's make it in v0.0.29.