Hardening container (#254)

Issue #, if available:

Relates aws-controllers-k8s/community#1112

Description of changes:
- ~~No longer runs as root, runs as nobody instead, since runtime is from scratch I've added a "dummy" /etc/shadow file~~
- ~~Runtime image is now "from scratch" since we don't need much other than ca-certs and the binary itself (eg. curl, vim, etc)~~
- Standard principle of least privilege security caps in deployment manifest (drop all plus explicit least privilege deployment/pod settings and capabilities)

This is a draft since there's still stuff missing, and not sure if you would want to go in a different direction

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Author: philnichol

templates/config/controller/deployment.yaml.tpl

@@ -53,4 +53,13 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
+        securityContext:
+          allowPrivilegeEscalation: false
+          privileged: false
+          capabilities:
+            drop:
+              - ALL
       terminationGracePeriodSeconds: 10
+      hostIPC: false
+      hostNetwork: false
+      hostPID: false

templates/helm/templates/deployment.yaml

@@ -73,6 +73,12 @@ spec:
           value: {{ .Values.log.level | quote }}
         - name: ACK_RESOURCE_TAGS
           value: {{ join "," .Values.resourceTags | quote }}
+        securityContext:
+          allowPrivilegeEscalation: false
+          privileged: false
+          capabilities:
+            drop:
+              - ALL
       terminationGracePeriodSeconds: 10
       nodeSelector: {{ toYaml .Values.deployment.nodeSelector | nindent 8 }}
       {{ if .Values.deployment.tolerations -}}
@@ -84,3 +90,6 @@ spec:
       {{ if .Values.deployment.priorityClassName -}}
       priorityClassName: {{ .Values.deployment.priorityClassName -}}
       {{ end -}}
+      hostIPC: false
+      hostNetwork: false
+      hostPID: false