feat: make zarf-agent pods comply with offical restricted pod securit…

…y standard (#3036)

Signed-off-by: Cade Thomas <cadethomas23@gmail.com>
Signed-off-by: schristoff <28318173+schristoff@users.noreply.github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Cade Thomas <cade.thomas@atlas-inno.com>
Co-authored-by: schristoff <28318173+schristoff@users.noreply.github.com>
Co-authored-by: Austin Abro <37223396+AustinAbro321@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

packages/zarf-agent/manifests/deployment.yaml

@@ -21,6 +21,13 @@ spec:
         - name: private-registry
       priorityClassName: system-node-critical
       serviceAccountName: zarf
+      # Security context to comply with restricted PSS
+      securityContext:
+        runAsUser: 1000
+        fsGroup: 2000
+        runAsGroup: 2000
+        seccompProfile:
+          type: "RuntimeDefault"
       containers:
         - name: server
           image: "###ZARF_REGISTRY###/###ZARF_CONST_AGENT_IMAGE###:###ZARF_CONST_AGENT_IMAGE_TAG###"
@@ -32,6 +39,12 @@ spec:
               scheme: HTTPS
           ports:
             - containerPort: 8443
+          securityContext:
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
+            runAsNonRoot: true
+            capabilities:
+              drop: ["ALL"]
           resources:
             requests:
               memory: "32Mi"