chore(postgres): set pod security standards

postgres/cnpg-values.yaml

@@ -1,3 +1,22 @@
+# Pod Security Context for restricted Pod Security Standards
+podSecurityContext:
+  runAsNonRoot: true
+  seccompProfile:
+    type: RuntimeDefault
+  fsGroup: 10001
+
+# Container Security Context for restricted Pod Security Standards
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  readOnlyRootFilesystem: true
+  runAsUser: 10001
+  runAsGroup: 10001
+  seccompProfile:
+    type: RuntimeDefault
+  capabilities:
+    drop:
+      - ALL
+
 resources:
   requests:
     cpu: 50m

postgres/justfile

@@ -1,7 +1,7 @@
 set fallback := true
 
 export CNPG_NAMESPACE := env("CNPG_NAMESPACE", "postgres")
-export CNPG_CHART_VERSION := env("CNPG_CHART_VERSION", "0.26.0")
+export CNPG_CHART_VERSION := env("CNPG_CHART_VERSION", "0.26.1")
 export CNPG_CLUSTER_CHART_VERSION := env("CNPG_CLUSTER_CHART_VERSION", "0.3.1")
 export POSTGRES_STORAGE_SIZE := env("POSTGRES_STORAGE_SIZE", "20Gi")
 export POSTGRES_MAX_CONNECTIONS := env("POSTGRES_MAX_CONNECTIONS", "200")
@@ -39,6 +39,9 @@ install-cnpg:
         -n ${CNPG_NAMESPACE} --create-namespace --wait \
         -f cnpg-values.yaml
 
+    @kubectl label namespace ${CNPG_NAMESPACE} \
+        pod-security.kubernetes.io/enforce=restricted --overwrite
+
 # Uninstall CloudNativePG
 uninstall-cnpg:
     @helm uninstall cnpg -n ${CNPG_NAMESPACE} --wait

postgres/postgres-cluster-values.gomplate.yaml

@@ -1,6 +1,10 @@
 cluster:
   instances: 1
 
+  # Security configuration for restricted Pod Security Standards
+  seccompProfile:
+    type: RuntimeDefault
+
   # Resource configuration (Guaranteed QoS)
   resources:
     requests: