chore(ollama): set pod security standards

ollama/justfile

@@ -29,6 +29,12 @@ create-namespace:
     if ! kubectl get namespace ${OLLAMA_NAMESPACE} &>/dev/null; then
         kubectl create namespace ${OLLAMA_NAMESPACE}
     fi
+    kubectl label namespace ${OLLAMA_NAMESPACE} \
+        pod-security.kubernetes.io/enforce=restricted \
+        pod-security.kubernetes.io/enforce-version=latest \
+        pod-security.kubernetes.io/warn=restricted \
+        pod-security.kubernetes.io/warn-version=latest \
+        --overwrite
 
 # Delete Ollama namespace
 delete-namespace:

ollama/values.gomplate.yaml

@@ -19,6 +19,21 @@ ollama:
 {{- end }}
 {{- end }}
 
+podSecurityContext:
+  fsGroup: 1000
+  seccompProfile:
+    type: RuntimeDefault
+
+securityContext:
+  runAsUser: 1000
+  runAsNonRoot: true
+  allowPrivilegeEscalation: false
+  seccompProfile:
+    type: RuntimeDefault
+  capabilities:
+    drop:
+      - ALL
+
 persistentVolume:
   enabled: true
   size: {{ .Env.OLLAMA_STORAGE_SIZE }}