fix(helm): set readOnlyRootFilesystem/runAsUser/runAsGroup on ingress/egress deployments

app/kumactl/cmd/install/testdata/install-control-plane.dump-values.yaml

@@ -470,28 +470,14 @@ ingress:
   topologySpreadConstraints:
 
   # -- Security context at the pod level for ingress
-  podSecurityContext: {}
-#    # The values below are examples. More values can be added as needed, since the field resolves as free form.
-#    runAsNonRoot: true
-#    runAsUser: 1000
-#    runAsGroup: 3000
-#    fsGroup: 2000
-#    fsGroupChangePolicy:
-#    # to support additional pod level securityContext parameters, please check:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#podsecuritycontext-v1-core
+  podSecurityContext:
+    runAsNonRoot: true
+    runAsUser: 5678
+    runAsGroup: 5678
 
   # -- Security context at the container level for ingress
-  containerSecurityContext: {} # for overlapping securityContext between pod and container, the container's value take precedence
-#    # The values below are examples. More values can be added as needed, since the field resolves as free form.
-#    allowPrivilegeEscalation: false
-#    capabilities:
-#      drop:
-#        - all
-#    readOnlyRootFilesystem: true
-#    privileged: false
-#    runAsNonRoot: true
-#    runAsUser: 1000
-#    runAsGroup: 3000
-#    # to support additional container level securityContext parameters, please check:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#securitycontext-v1-core
+  containerSecurityContext:
+   readOnlyRootFilesystem: true
 
 egress:
   # -- If true, it deploys Egress for cross cluster communication
@@ -581,28 +567,14 @@ egress:
   topologySpreadConstraints:
 
   # -- Security context at the pod level for egress
-  podSecurityContext: {}
-#    # The values below are examples. More values can be added as needed, since the field resolves as free form.
-#    runAsNonRoot: true
-#    runAsUser: 1000
-#    runAsGroup: 3000
-#    fsGroup: 2000
-#    fsGroupChangePolicy:
-#    # to support additional pod level securityContext parameters, please check:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#podsecuritycontext-v1-core
+  podSecurityContext:
+    runAsNonRoot: true
+    runAsUser: 5678
+    runAsGroup: 5678
 
   # -- Security context at the container level for egress
-  containerSecurityContext: {} # for overlapping securityContext between pod and container, the container's value take precedence
-#    # The values below are examples. More values can be added as needed, since the field resolves as free form.
-#    allowPrivilegeEscalation: false
-#    capabilities:
-#      drop:
-#        - all
-#    readOnlyRootFilesystem: true
-#    privileged: false
-#    runAsNonRoot: true
-#    runAsUser: 1000
-#    runAsGroup: 3000
-#    # to support additional container level securityContext parameters, please check:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#securitycontext-v1-core
+  containerSecurityContext:
+   readOnlyRootFilesystem: true
 
 kumactl:
   image:

app/kumactl/cmd/install/testdata/install-control-plane.with-egress.golden.yaml

@@ -566,6 +566,10 @@ spec:
                   - kuma-egress
               topologyKey: kubernetes.io/hostname
             weight: 100
+      securityContext:
+        runAsGroup: 5678
+        runAsNonRoot: true
+        runAsUser: 5678
       serviceAccountName: kuma-egress
       nodeSelector:
 
@@ -574,6 +578,8 @@ spec:
         - name: egress
           image: "docker.io/kumahq/kuma-dp:0.0.1"
           imagePullPolicy: IfNotPresent
+          securityContext:
+            readOnlyRootFilesystem: true
           env:
             - name: POD_NAME
               valueFrom:
@@ -629,13 +635,17 @@ spec:
             - name: control-plane-ca
               mountPath: /var/run/secrets/kuma.io/cp-ca
               readOnly: true
+            - name: tmp
+              mountPath: /tmp
       volumes:
         - name: control-plane-ca
           secret:
             secretName: "kuma-tls-cert"
             items:
               - key: ca.crt
                 path: ca.crt
+        - name: tmp
+          emptyDir: {}
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration

app/kumactl/cmd/install/testdata/install-control-plane.with-helm-set.yaml

@@ -6046,6 +6046,10 @@ spec:
                   - kuma-egress
               topologyKey: kubernetes.io/hostname
             weight: 100
+      securityContext:
+        runAsGroup: 5678
+        runAsNonRoot: true
+        runAsUser: 5678
       serviceAccountName: kuma-egress
       nodeSelector:
 
@@ -6054,6 +6058,8 @@ spec:
         - name: egress
           image: "docker.io/kumahq/kuma-dp:0.0.1"
           imagePullPolicy: IfNotPresent
+          securityContext:
+            readOnlyRootFilesystem: true
           env:
             - name: POD_NAME
               valueFrom:
@@ -6109,13 +6115,17 @@ spec:
             - name: control-plane-ca
               mountPath: /var/run/secrets/kuma.io/cp-ca
               readOnly: true
+            - name: tmp
+              mountPath: /tmp
       volumes:
         - name: control-plane-ca
           secret:
             secretName: "kuma-tls-cert"
             items:
               - key: ca.crt
                 path: ca.crt
+        - name: tmp
+          emptyDir: {}
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -6166,6 +6176,10 @@ spec:
                   - kuma-ingress
               topologyKey: kubernetes.io/hostname
             weight: 100
+      securityContext:
+        runAsGroup: 5678
+        runAsNonRoot: true
+        runAsUser: 5678
       serviceAccountName: kuma-ingress
       nodeSelector:
 
@@ -6175,6 +6189,8 @@ spec:
         - name: ingress
           image: "docker.io/kumahq/kuma-dp:0.0.1"
           imagePullPolicy: IfNotPresent
+          securityContext:
+            readOnlyRootFilesystem: true
           env:
             - name: POD_NAME
               valueFrom:
@@ -6231,13 +6247,17 @@ spec:
             - name: control-plane-ca
               mountPath: /var/run/secrets/kuma.io/cp-ca
               readOnly: true
+            - name: tmp
+              mountPath: /tmp
       volumes:
         - name: control-plane-ca
           secret:
             secretName: "kuma-tls-cert"
             items:
               - key: ca.crt
                 path: ca.crt
+        - name: tmp
+          emptyDir: {}
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration

app/kumactl/cmd/install/testdata/install-control-plane.with-ingress.golden.yaml

@@ -570,6 +570,10 @@ spec:
                   - kuma-ingress
               topologyKey: kubernetes.io/hostname
             weight: 100
+      securityContext:
+        runAsGroup: 5678
+        runAsNonRoot: true
+        runAsUser: 5678
       serviceAccountName: kuma-ingress
       nodeSelector:
 
@@ -579,6 +583,8 @@ spec:
         - name: ingress
           image: "docker.io/kumahq/kuma-dp:0.0.1"
           imagePullPolicy: IfNotPresent
+          securityContext:
+            readOnlyRootFilesystem: true
           env:
             - name: POD_NAME
               valueFrom:
@@ -635,13 +641,17 @@ spec:
             - name: control-plane-ca
               mountPath: /var/run/secrets/kuma.io/cp-ca
               readOnly: true
+            - name: tmp
+              mountPath: /tmp
       volumes:
         - name: control-plane-ca
           secret:
             secretName: "kuma-tls-cert"
             items:
               - key: ca.crt
                 path: ca.crt
+        - name: tmp
+          emptyDir: {}
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration

app/kumactl/cmd/install/testdata/install-cp-helm/fix4496.golden.yaml

@@ -583,6 +583,10 @@ spec:
                   - kuma-ingress
               topologyKey: kubernetes.io/hostname
             weight: 100
+      securityContext:
+        runAsGroup: 5678
+        runAsNonRoot: true
+        runAsUser: 5678
       serviceAccountName: kuma-ingress
       nodeSelector:
 
@@ -592,6 +596,8 @@ spec:
         - name: ingress
           image: "docker.io/kumahq/kuma-dp:0.0.1"
           imagePullPolicy: IfNotPresent
+          securityContext:
+            readOnlyRootFilesystem: true
           env:
             - name: POD_NAME
               valueFrom:
@@ -648,13 +654,17 @@ spec:
             - name: control-plane-ca
               mountPath: /var/run/secrets/kuma.io/cp-ca
               readOnly: true
+            - name: tmp
+              mountPath: /tmp
       volumes:
         - name: control-plane-ca
           secret:
             secretName: "kuma-tls-cert"
             items:
               - key: ca.crt
                 path: ca.crt
+        - name: tmp
+          emptyDir: {}
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress

app/kumactl/cmd/install/testdata/install-cp-helm/fix4935.golden.yaml

@@ -814,6 +814,10 @@ spec:
                   - kuma-egress
               topologyKey: kubernetes.io/hostname
             weight: 100
+      securityContext:
+        runAsGroup: 5678
+        runAsNonRoot: true
+        runAsUser: 5678
       serviceAccountName: kuma-egress
       nodeSelector:
 
@@ -822,6 +826,8 @@ spec:
         - name: egress
           image: "docker.io/kumahq/kuma-dp:0.0.1"
           imagePullPolicy: IfNotPresent
+          securityContext:
+            readOnlyRootFilesystem: true
           env:
             - name: POD_NAME
               valueFrom:
@@ -877,13 +883,17 @@ spec:
             - name: control-plane-ca
               mountPath: /var/run/secrets/kuma.io/cp-ca
               readOnly: true
+            - name: tmp
+              mountPath: /tmp
       volumes:
         - name: control-plane-ca
           secret:
             secretName: "kuma-tls-cert"
             items:
               - key: ca.crt
                 path: ca.crt
+        - name: tmp
+          emptyDir: {}
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -937,6 +947,10 @@ spec:
                   - kuma-ingress
               topologyKey: kubernetes.io/hostname
             weight: 100
+      securityContext:
+        runAsGroup: 5678
+        runAsNonRoot: true
+        runAsUser: 5678
       serviceAccountName: kuma-ingress
       nodeSelector:
 
@@ -946,6 +960,8 @@ spec:
         - name: ingress
           image: "docker.io/kumahq/kuma-dp:0.0.1"
           imagePullPolicy: IfNotPresent
+          securityContext:
+            readOnlyRootFilesystem: true
           env:
             - name: POD_NAME
               valueFrom:
@@ -1002,13 +1018,17 @@ spec:
             - name: control-plane-ca
               mountPath: /var/run/secrets/kuma.io/cp-ca
               readOnly: true
+            - name: tmp
+              mountPath: /tmp
       volumes:
         - name: control-plane-ca
           secret:
             secretName: "kuma-tls-cert"
             items:
               - key: ca.crt
                 path: ca.crt
+        - name: tmp
+          emptyDir: {}
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress