🌱 add explicit securityContexts to the controller

[chrischdi]

What this PR does / why we need it:

This does not really change the configuration, it just makes it explicit and enforce the defaults, except for the seccompPolicy which changes from Unconfined to RuntimeDefault. Syscalls filtered by RuntimeDefault policy are 95% namespaced and require capabilities (which we drop) in the first place, so no practical change there either.

This allows to be compatible to the restricted pod security admission profile.

This is a recommendation in the CAPI v1.3->1.4 upgrade guide.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

Special notes for your reviewer:

Prior art:

• ✨ add explicit securitycontexts to controllers cluster-api#7831
• add explicit securityContexts to the controller cluster-api-provider-aws#4104

Note: this requires the v1.4 branch of CAPI for usage with tilt, because the Tiltfile then removes the securityContext for allowing it to succeed.

Please confirm that if this PR changes any image versions, then that's the sole change this PR makes.

Release note:

Explicitly set securityContexts in the manifests to comply with the restricted pod security admission profile.

[k8s-ci-robot]

@chrischdi: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-cluster-api-provider-vsphere-verify-crds	f46be9a	link	false	/test pull-cluster-api-provider-vsphere-verify-crds

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[chrischdi]

@chrischdi: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-cluster-api-provider-vsphere-verify-crds f46be9a link false /test pull-cluster-api-provider-vsphere-verify-crds
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

I don't know why this creates a diff for the CRD's 🤔 must be an unrelated change.

[srm09]

The verify-crds jobs has been flaking out since the usage of controller gen in CAPV Makefile provides multiple paths fields when running the command, which causes the output to be non deterministic. This is being tracked in #1757

[srm09]

@chrischdi to understand more about this one, does it mean that the latest version of the CAPV might not work with previous CAPI version, say v1.3.x post this change?

[chrischdi]

@chrischdi to understand more about this one, does it mean that the latest version of the CAPV might not work with previous CAPI version, say v1.3.x post this change?

When this would get merged, running capv with tilt requires this change: kubernetes-sigs/cluster-api#7846
This change in tilt-prepare removes the securityContext, because it requires more privileges when running with dlv or for doing tilt stuff.

Generally: running with capi v1.3 is no issue at all, just when capv gets run with tilt :-)

[chrischdi]

Ping @srm09 :-) if you find some time

[srm09]

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: srm09

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [srm09]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment