Security Hardening Improvements

[LarsWinters]

Hi all,

we currently evaluate security hardening for our platform tools including splunk-otel-collector. We defined our policies using kyverno and now want to evaluate whether we can implement those for the collector. We saw, that more or less only run as non root user is documented, which we have set up.

We want to additionally set:

securityContext:
   allowPrivilegeEscalation: false
   dropCapabilities:
     - All
   readOnlyRootFilesystem: true
   Volumes:
     - configMap
     - emptyDir
     - projected
     - Secret
     - downwardAPI
     - persistentVolumeClaim
  apparmor.security.beta.kubernetes.io/*: runtime/default
  seccompProfile:
    - type: RuntimeDefault
  hostPID: false
  hostIPC: false
  hostNetwork: false

Has anyone tested this or can you tell whether those settings are supported? We appreciate any helpful comments/thoughts about this settings.

Thanks!