added security context values for gatekeeper crd chart

this is needed so that these jobs can be run in the namespace with restricted psa labels applied

packages/rancher-gatekeeper/templates/crd-template/templates/jobs.yaml

@@ -40,6 +40,12 @@ spec:
             - name: crd-manifest
               readOnly: true
               mountPath: /etc/config
+          securityContext:
+            {{- if .Values.enableRuntimeDefaultSeccompProfile }}
+            seccompProfile:
+              type: RuntimeDefault
+            {{- end }}
+            {{- toYaml .Values.securityContext | nindent 12 }}
       restartPolicy: OnFailure
       volumes:
       - name: crd-manifest
@@ -88,6 +94,12 @@ spec:
             - name: crd-manifest
               readOnly: true
               mountPath: /etc/config
+          securityContext:
+            {{- if .Values.enableRuntimeDefaultSeccompProfile }}
+            seccompProfile:
+              type: RuntimeDefault
+            {{- end }}
+            {{- toYaml .Values.securityContext | nindent 12 }}
       containers:
         - name: delete-crds
           image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}
@@ -101,6 +113,12 @@ spec:
             - name: crd-manifest
               readOnly: true
               mountPath: /etc/config
+          securityContext:
+            {{- if .Values.enableRuntimeDefaultSeccompProfile }}
+            seccompProfile:
+              type: RuntimeDefault
+            {{- end }}
+            {{- toYaml .Values.securityContext | nindent 12 }}
       restartPolicy: OnFailure
       volumes:
       - name: crd-manifest

packages/rancher-gatekeeper/templates/crd-template/values.yaml

@@ -11,3 +11,11 @@ global:
 image:
   repository: rancher/kubectl
   tag: v1.20.2
+
+enableRuntimeDefaultSeccompProfile: true
+
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+    - ALL