[BGD-4448] run DP components as as non root

charts/bigdata-operator/values.yaml

@@ -35,7 +35,8 @@ podLabels:
 podSecurityContext: {}
 # fsGroup: 2000
 
-securityContext: {}
+securityContext:
+  runAsNonRoot: true
 # capabilities:
 #   drop:
 #   - ALL

charts/bigdata-proxy/values.yaml

@@ -45,7 +45,8 @@ podLabels:
 podSecurityContext: {}
   # fsGroup: 2000
 
-securityContext: {}
+securityContext:
+  runAsNonRoot: true
   # capabilities:
   #   drop:
   #   - ALL

charts/bigdata-spark-watcher/values.yaml

@@ -56,7 +56,8 @@ podLabels:
 podSecurityContext: {}
   # fsGroup: 2000
 
-securityContext: {}
+securityContext:
+  runAsNonRoot: true
   # capabilities:
   #   drop:
   #   - ALL

charts/bigdata-telemetry/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: bigdata-telemetry
 description: A Helm chart for the Spot Big Data Telemetry components
 type: application
-version: 0.2.0
+version: 0.2.1
 appVersion: "1.16.0"
 home: https://github.com/spotinst/charts
 icon: https://docs.spot.io/_media/images/spot_mark.png

charts/bigdata-telemetry/templates/thanos-receiver-statefulset.yaml

@@ -90,6 +90,8 @@ spec:
               port: 10902
               scheme: HTTP
             periodSeconds: 5
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
           terminationMessagePolicy: FallbackToLogsOnError
           volumeMounts:
             - mountPath: /var/thanos/receive

charts/bigdata-telemetry/values.yaml

@@ -15,6 +15,8 @@ thanos:
 
 nodeSelector: {}
 
+securityContext: {}
+
 affinity:
   nodeAffinity:
     requiredDuringSchedulingIgnoredDuringExecution:

charts/spark-operator/values.yaml

@@ -20,6 +20,8 @@ spark-operator:  # This section controls the behavior of the spark operator sub-
 
   disableExecutorReporting: false
 
+  securityContext: {}
+
   webhook:
     enable: true
     # If hostNetwork is set to true it is probably a good idea to change this (e.g. 25554)