feat: Add possibility to configure securityContext for each pod

[ppawlowski]

Description

Add possibility to configure securityContext for forge and broker pods.
Additionally, set a default value for seccompProfile to RuntimeDefault for both pods.

Related Issue(s)

#323
#268

Checklist

• I have read the contribution guidelines
• Suitable unit/system level tests have been added and they pass
• Documentation has been updated
  • Upgrade instructions
  • Configuration details
  • Concepts
• Changes flowforge.yml?
  • Issue/PR raised on FlowFuse/helm to update ConfigMap Template
  • Issue/PR raised on FlowFuse/CloudProject to update values for Staging/Production

Labels

• Backport needed? -> add the backport label
• Includes a DB migration? -> add the area:migration label

[github-actions]

node-red:3.1.x-main-linux-amd64 scan results

0 tests  ±0   0 ✅ ±0   0s ⏱️ ±0s
2 suites ±0   0 💤 ±0 
1 files   ±0   0 ❌ ±0 

Results for commit 00f46d8. ± Comparison against base commit 60776ce.

[github-actions]

node-red:3.0.2-main-linux-amd64 scan results

1 files  ±0  4 suites  ±0   0s ⏱️ ±0s
8 tests ±0  0 ✅ ±0  0 💤 ±0  8 ❌ ±0 
9 runs  ±0  0 ✅ ±0  0 💤 ±0  9 ❌ ±0 

For more details on these failures, see this check.

Results for commit 00f46d8. ± Comparison against base commit 60776ce.

[github-actions]

node-red:2.2.3-main-linux-amd64 scan results

26 tests  ±0    0 ✅ ±0   0s ⏱️ ±0s
 4 suites ±0    0 💤 ±0 
 1 files   ±0   26 ❌ ±0 

For more details on these failures, see this check.

Results for commit 00f46d8. ± Comparison against base commit 60776ce.

[github-actions]

node-red:2.2.3-main-linux-arm64 scan results

26 tests  ±0    0 ✅ ±0   0s ⏱️ ±0s
 4 suites ±0    0 💤 ±0 
 1 files   ±0   26 ❌ ±0 

For more details on these failures, see this check.

Results for commit 00f46d8. ± Comparison against base commit 60776ce.

[github-actions]

node-red:3.0.2-main-linux-arm64 scan results

1 files  ±0  4 suites  ±0   0s ⏱️ ±0s
8 tests ±0  0 ✅ ±0  0 💤 ±0  8 ❌ ±0 
9 runs  ±0  0 ✅ ±0  0 💤 ±0  9 ❌ ±0 

For more details on these failures, see this check.

Results for commit 00f46d8. ± Comparison against base commit 60776ce.

[github-actions]

node-red:3.1.x-main-linux-arm64 scan results

0 tests  ±0   0 ✅ ±0   0s ⏱️ ±0s
2 suites ±0   0 💤 ±0 
1 files   ±0   0 ❌ ±0 

Results for commit 00f46d8. ± Comparison against base commit 60776ce.

[hardillb]

@ppawlowski do we need to talk about what security context will be applied to the NR instance pods?

[ppawlowski]

@ppawlowski do we need to talk about what security context will be applied to the NR instance pods?

NR instances are created by the application with kubernetes driver thus it is outside of the scope of the change introduced in this PR. However, it is worth to implement security context parameters on NR as well, but as a separate task.

[hardillb]

NR instances are created by the application with kubernetes driver thus it is outside of the scope of the change introduced in this PR. However, it is worth to implement security context parameters on NR as well, but as a separate task.

Yes, but I was meaning should we have a paired drive pr to match? And should it use some of the same values?

[ppawlowski]

NR instances are created by the application with kubernetes driver thus it is outside of the scope of the change introduced in this PR. However, it is worth to implement security context parameters on NR as well, but as a separate task.

Yes, but I was meaning should we have a paired drive pr to match? And should it use some of the same values?

Can be implemented independently. Regarding values - for the seccomp profile it should be fine, although some tests should be performed. For the user/group ID - this might change due to #251 .

[hardillb]

OK, so the only thing missing from this (we will look at the driver update later) is adding to the file-server pod