feat(chart): Improved default security context

[stevehipwell]

Fixes #N/A

Description
This PR improves the default security context posture and adds support for setting container values which should be user defined.

How was this change tested?
The Helm chart was templated with the new values.

Does this change impact docs?

• Yes, PR includes docs updates
• Yes, issue opened: #
• No

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[netlify]

✅ Deploy Preview for karpenter-docs-prod ready!

Name	Link
🔨 Latest commit	b24b786
🔍 Latest deploy log	https://app.netlify.com/sites/karpenter-docs-prod/deploys/6800d394d8940a0008b4cb5c
😎 Deploy Preview	https://deploy-preview-7279--karpenter-docs-prod.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[stevehipwell]

CC @jonathan-innis

[stevehipwell]

@tzneal could you take a look at this please?

[github-actions]

This PR has been inactive for 14 days. StaleBot will close this stale PR after 14 more days of inactivity.

[stevehipwell]

@jonathan-innis @tzneal could someone please take a look at this?

[stevehipwell]

@jonathan-innis @tzneal could someone please take a look at this?

[saurav-agarwalla]

I'll take a look at this.

[github-actions]

This PR has been inactive for 14 days. StaleBot will close this stale PR after 14 more days of inactivity.

[stevehipwell]

/not-stale

[stevehipwell]

@saurav-agarwalla did you manage to take a look at this?

[saurav-agarwalla]

@stevehipwell apologies for the delay, I started reviewing this but then got side-tracked with the holidays and other things. Planning to get back to it this week.

[coveralls]

Pull Request Test Coverage Report for Build 14513302984

Details

• 0 of 0 changed or added relevant lines in 0 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage increased (+0.02%) to 66.444%

---

Totals
Change from base Build 14504624666:	0.02%
Covered Lines:	6768
Relevant Lines:	10186

---

💛 - Coveralls

[stevehipwell]

@saurav-agarwalla I think there is some confusion over what a first party Helm chart should be. A first party Helm chart should be opinionated and follow both industry and project best practices. As it owns the constraints it doesn't need to open everything up for customization.

Karpenter's constraints are that it runs on Linux, as a non-root user, and doesn't need any additional OS permissions; therefore there is no valid reason to allow an end-user to lower this security posture.

CC @jonathan-innis @tzneal @bwagner5

[jonathan-innis]

Hey @stevehipwell -- sorry that we've been slow on this -- I just took a look, most of the changes look reasonable -- just a few questions about potential breaking changes and why you need certain levels of customization

[stevehipwell]

@jonathan-innis I've replied to your comments and rebased.

[stevehipwell]

@jonathan-innis I've reverted the pod non-root default.

[stevehipwell]

@jonathan-innis I've rebased this PR again and it'd be great to get it merged.

[stevehipwell]

👀 @jonathan-innis

[jonathan-innis]

I think that's my last question -- everything else looks good to ship -- just if there is a strong reason from removing RuntimeDefault

[stevehipwell]

@jonathan-innis could we get this merged before the release for v1.4.0?

[jonathan-innis]

could we get this merged before the release for v1.4.0

I think we're going to have to punt this into v1.5.0 at this point -- we've already staged out the changes for v1.4.0. I wouldn't expect us to have a huge lead time to the next minor version, though -- we've got a number of perf things that we'd like to get through and release soon-ish

[jonathan-innis]

LGTM 🚀