Make the default security policies of kueue compatible with the restricted policy

[rhaps0dy]

What type of PR is this?

/kind feature

What this PR does / why we need it:

Many Kubernetes cluster enforce security standards on the pods that run. Kueue can run perfectly well under the restricted standard, so we should comply with it by default.

This PR makes the default securityContext settings for the Kueue controller manager pods and containers be compliant with the restricted security standard.

Which issue(s) this PR fixes:

None

Special notes for your reviewer:

Does this PR introduce a user-facing change?

- Kueue controller-manager now complies with the `restricted` security standard by default (see https://kubernetes.io/docs/concepts/security/pod-security-standards/). 
- Helm chart now lets admins control the securityContext for the kube-rbac-proxy container using `kubeRbacProxy.securityContext`.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: rhaps0dy
Once this PR has been reviewed and has the lgtm label, please assign alculquicondor for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-ci-robot]

Hi @rhaps0dy. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[netlify]

✅ Deploy Preview for kubernetes-sigs-kueue ready!

Name	Link
🔨 Latest commit	553ca6a
🔍 Latest deploy log	https://app.netlify.com/sites/kubernetes-sigs-kueue/deploys/663132129304f10008c507b5
😎 Deploy Preview	https://deploy-preview-2105--kubernetes-sigs-kueue.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[alculquicondor]

if it can perfectly run in a restricted environment... let's not make it configurable?

[rhaps0dy]

OK, that seems fine. I thought folks would want to make it even more restricted, (e.g. using readOnlyRootFilesystem: true, which I haven't bothered to do here, or a more restrictive seccompProfile).

I'm happy to just change it and leave it unconfigurable too.

Off the top of your head, do you know which directory/ies kueue tries to write to? (so we can make them emptyDirs and restrict read/write of root FS). No worries if it's too complicated to just write, I asked in case it's easy for you.

[alculquicondor]

We don't write to disk at all and I don't think we intend to. kueue is pretty stateless.

[rhaps0dy]

OK, I'll look into why readOnlyRootFilesystem: true failed on my cluster then.

[alculquicondor]

Uhmm... I think I remember seeing that the cert logic writes to disk.

[alculquicondor]

/ok-to-test

[alculquicondor]

cc @Gekko0114 in case you have an opinion on whether to make the security profile configurable.