fix: Enhance securityContext in ha manifests (#9810)

[joebowbeer]

Fixes #9810

Adds container-level securityContext to the argocd-redis-ha-haproxy and argocd-redis-ha-server containers.

In a static check using kyverno-cli, these updated manifests report no PSS/restricted policy failures:

kustomize build https://github.com/kyverno/policies//pod-security | \
  kyverno apply --policy-report -r \
  <(kustomize build https://github.com/joebowbeer/argo-cd//manifests/ha/cluster-install\?ref=patch-2) \
  -

kustomize build https://github.com/kyverno/policies//pod-security | \
  kyverno apply --policy-report -r \
  <(kustomize build https://github.com/joebowbeer/argo-cd//manifests/ha/namespace-install\?ref=patch-2) \
  -

kustomize build https://github.com/kyverno/policies//pod-security | \
  kyverno apply --policy-report -r \
  <(wget -qO- https://raw.githubusercontent.com/joebowbeer/argo-cd/patch-2/manifests/ha/install.yaml) \
  -

kustomize build https://github.com/kyverno/policies//pod-security | \
  kyverno apply --policy-report -r \
  <(wget -qO- https://raw.githubusercontent.com/joebowbeer/argo-cd/patch-2/manifests/ha/namespace-install.yaml) \
  -

Checklist:

• Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
• The title of the PR states what changed and the related issues number (used for the release note).
• I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
• I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
• Does this PR require documentation updates?
• I've updated documentation as required by this PR.
• Optional. My organization is added to USERS.md.
• I have signed off all my commits as required by DCO
• I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
• My build is green (troubleshooting builds).

[codecov]

Codecov Report

Merging #9930 (19de782) into master (99a889c) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master    #9930   +/-   ##
=======================================
  Coverage   45.96%   45.96%           
=======================================
  Files         227      227           
  Lines       27276    27276           
=======================================
  Hits        12538    12538           
  Misses      13036    13036           
  Partials     1702     1702           

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 99a889c...19de782. Read the comment docs.

[crenshaw-dev]

@joebowbeer ready for review?

[joebowbeer]

@crenshaw-dev I marked it ready. I don't know how well redis-ha is tested in the automated e2e tests, so I asked @souravsk to give it a spin.

[crenshaw-dev]

@joebowbeer not at all, unfortunately. :-( Might see if I can test this out at Intuit for a day or two before merging.

[souravsk]

So I copied the changes you made then I run the in my minikube

it did run but some of the posts are pending

[joebowbeer]

@souravsk how many workers are in your cluster? I suggest 3 for high availability (HA)

[souravsk]

In my minikube it has one control panel and one workar node i tried to create one more node but i get failed. I tried many time but somehow any 5 pods are in pending

[joebowbeer]

@crenshaw-dev it looks like NET_BIND_SERVICE may be problematic:

• enhance haproxy securityContexts for restrictive PSS compliance haproxytech/helm-charts#150 (comment)
• Kubernetes should configure the ambient capability set kubernetes/kubernetes#56374

However, I don't see any privileged containerPort bindings in the argocd/ha manifests, so I will drop this capability.

[joebowbeer]

@crenshaw-dev PTAL

I applied ha/install.yaml to a local kind cluster with 3 control plane nodes and 3 worker nodes, and everything was healthy.

I ran kyverno against the argocd namespace and there were no failures:

kyverno apply <(kustomize build https://github.com/kyverno/policies//pod-security) \
    --cluster --policy-report -n=argocd

[crenshaw-dev]

lgtm, thanks!