Introduce securityContext for operator

The `nonroot` user assignment was removed from the dockerfile as this
was already set via the `:nonroot` tag. This user is already set using
its uid.

This allows the `runAsNonRoot` securityContext Flag to work correctly.

Author: J12934

operator/Dockerfile

@@ -28,6 +28,5 @@ ENV TELEMETRY_ENABLED "true"
 
 WORKDIR /
 COPY --from=builder /workspace/manager .
-USER nonroot:nonroot
 
 ENTRYPOINT ["/manager"]

operator/templates/manager/manager.yaml

@@ -77,4 +77,6 @@ spec:
               value: {{ .Values.lurcher.image.pullPolicy }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
       terminationGracePeriodSeconds: 10

operator/values.yaml

@@ -12,7 +12,16 @@ image:
   # @default -- defaults to the charts version
   tag: null
   # image.pullPolicy -- Image pull policy
-  pullPolicy: Always
+  pullPolicy: IfNotPresent
+
+securityContext:
+  runAsNonRoot: true
+  readOnlyRootFilesystem: true
+  allowPrivilegeEscalation: false
+  privileged: false
+  capabilities:
+    drop:
+      - all
 
 lurcher:
   image: