feat(helm): set readOnlyRootFilesystem on CNI

Signed-off-by: Mike Beaumont <mjboamail@gmail.com>

deployments/charts/kuma/templates/cni-daemonset.yaml

@@ -140,6 +140,8 @@ spec:
               name: host-var-run
               mountPropagation: Bidirectional
             {{- end }}
+            - name: tmp
+              mountPath: /tmp
       volumes:
         # Used to install CNI.
         - name: cni-bin-dir
@@ -159,4 +161,6 @@ spec:
             path: /proc
           name: host-proc
         {{- end }}
+        - name: tmp
+          emptyDir: {}
 {{- end }}

deployments/charts/kuma/values.yaml

@@ -334,27 +334,13 @@ cni:
 
   # -- Security context at the pod level for cni
   podSecurityContext: {}
-#    # The values below are examples. More values can be added as needed, since the field resolves as free form.
-#    runAsNonRoot: true
-#    runAsUser: 1000
-#    runAsGroup: 3000
-#    fsGroup: 2000
-#    fsGroupChangePolicy:
-#    # to support additional pod level securityContext parameters, please check:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#podsecuritycontext-v1-core
 
   # -- Security context at the container level for cni
-  containerSecurityContext: {} # for overlapping securityContext between pod and container, the container's value take precedence
-#    # The values below are examples. More values can be added as needed, since the field resolves as free form.
-#    allowPrivilegeEscalation: false
-#    capabilities:
-#      drop:
-#        - all
-#    readOnlyRootFilesystem: true
-#    privileged: false
-#    runAsNonRoot: true
-#    runAsUser: 1000
-#    runAsGroup: 3000
-#    # to support additional container level securityContext parameters, please check:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#securitycontext-v1-core
+  containerSecurityContext:
+    readOnlyRootFilesystem: true
+    runAsNonRoot: false
+    runAsUser: 0
+    runAsGroup: 0
 
 dataPlane:
   image: