Context
PR #152 hardens the four chart-templated Deployments (operator, proxy, console, mcp) for Pod Security Admission restricted. Brokers and managed etcd are operator-reconciled (app=kafscale-broker, etcd StatefulSet/Deployment), so they are out of scope for the chart change.
Task
Add PSA restricted-compatible pod and container securityContext defaults to operator-reconciled broker and etcd workloads, aligned with the shipped images (USER 10001).
Acceptance
- Broker and etcd pods render/run with the same restricted controls as chart workloads (
runAsNonRoot, dropped capabilities, readOnlyRootFilesystem, seccompProfile: RuntimeDefault, etc.)
- Writable mounts added only where runtime code requires them (mirror proxy
/tmp pattern if needed)
- Conformance test or operator render test prevents regression
Context
PR #152 hardens the four chart-templated Deployments (operator, proxy, console, mcp) for Pod Security Admission
restricted. Brokers and managed etcd are operator-reconciled (app=kafscale-broker, etcd StatefulSet/Deployment), so they are out of scope for the chart change.Task
Add PSA
restricted-compatible pod and containersecurityContextdefaults to operator-reconciled broker and etcd workloads, aligned with the shipped images (USER 10001).Acceptance
runAsNonRoot, dropped capabilities,readOnlyRootFilesystem,seccompProfile: RuntimeDefault, etc.)/tmppattern if needed)