Update init containers to be PSS compliant

Description:
- Enforce initContainers to be compliant when PSS is set to restricted
- As part of #1883

charts/db-backup/values.yaml

@@ -53,6 +53,8 @@ securityContext:
   readOnlyRootFilesystem: true
   runAsNonRoot: true
   runAsUser: 1001
+  seccompProfile:
+    type: RuntimeDefault
 
 serviceAccount:
   create: true

charts/generic-govuk-app/templates/assets-upload-job.yaml

@@ -45,10 +45,13 @@ spec:
             - name: assets-to-upload
               mountPath: /assets-to-upload
           securityContext:
-            allowPrivilegeEscalation: false
-            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: {{ .Values.securityContext.allowPrivilegeEscalation | default "false" }}
+            runAsNonRoot: {{ .Values.securityContext.runAsNonRoot | default "true" }}
+            readOnlyRootFilesystem: {{ .Values.securityContext.readOnlyRootFilesystem | default "true" }}
+            seccompProfile:
+              type: RuntimeDefault
             capabilities:
-              drop: ["ALL"]
+              drop: {{ .Values.securityContext.capabilities.drop }}
       containers:
         - name: upload-assets
           image: 172025368201.dkr.ecr.eu-west-1.amazonaws.com/github/alphagov/govuk/toolbox:latest

charts/generic-govuk-app/templates/deployment.yaml

@@ -63,6 +63,15 @@ spec:
           volumeMounts:
             - name: assets
               mountPath: /assets
+          securityContext:
+            allowPrivilegeEscalation: {{ .Values.securityContext.allowPrivilegeEscalation | default "false" }}
+            runAsNonRoot: {{ .Values.securityContext.runAsNonRoot | default "true" }}
+            readOnlyRootFilesystem: {{ .Values.securityContext.readOnlyRootFilesystem | default "true" }}
+            seccompProfile:
+              type: RuntimeDefault
+            capabilities:
+              drop: {{ .Values.securityContext.capabilities.drop }}
+
       {{- end }}
       containers:
         - name: app
@@ -127,9 +136,9 @@ spec:
           {{- end }}
           securityContext:
             allowPrivilegeEscalation: {{ .Values.securityContext.allowPrivilegeEscalation }}
-            readOnlyRootFilesystem: true
+            readOnlyRootFilesystem: {{ .Values.securityContext.readOnlyRootFileSystem }}
             capabilities:
-              drop: ["ALL"]
+              drop: {{ .Values.securityContext.capabilities.drop }}
           volumeMounts:
             - name: app-tmp
               mountPath: /tmp

charts/generic-govuk-app/values.yaml

@@ -157,6 +157,9 @@ securityContext:
   allowPrivilegeEscalation: false
   runAsUser: 1001
   runAsGroup: 1001
+  readOnlyRootFilesystem: true
+  capabilities:
+    drop: ["ALL"]
 
 sentry:
   enabled: true

charts/govuk-jobs/templates/govuk-mirror-sync-cronjob.yaml

@@ -50,8 +50,13 @@ spec:
                   cpu: 2
                   memory: 15000Mi
               securityContext:
-                allowPrivilegeEscalation: false
-                readOnlyRootFilesystem: true
+                allowPrivilegeEscalation: {{ .Values.securityContext.allowPrivilegeEscalation | default "false" }}
+                runAsNonRoot: {{ .Values.securityContext.runAsNonRoot | default "true" }}
+                readOnlyRootFilesystem: {{ .Values.securityContext.readOnlyRootFilesystem | default "true" }}
+                seccompProfile:
+                  type: RuntimeDefault
+                capabilities:
+                  drop: {{ .Values.securityContext.capabilities.drop }}
               volumeMounts:
                 - name: app-mirror-sync
                   mountPath: /data

charts/govuk-jobs/values.yaml

@@ -11,7 +11,7 @@ podSecurityContext:
 securityContext:
   allowPrivilegeEscalation: false
   capabilities:
-    drop: [ALL]
+    drop: ["ALL"]
   readOnlyRootFilesystem: true
   runAsNonRoot: true
   runAsUser: 1001