Improve security for helm chart

[winston0410]

What are you trying to do

Improve security for helm chart and avoid security warnings.

These are the warnings after linting with kubescape

What HAProxy Ingress should do or how it should behave differently

Fix deployment like this, this is the deployment that I have patched with kustomize

---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app.kubernetes.io/instance: haproxy-ingress
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: haproxy-ingress
    app.kubernetes.io/version: v0.14.2
    helm.sh/chart: haproxy-ingress-0.14.2
  name: haproxy-ingress
  namespace: haproxy-ingress
spec:
  minReadySeconds: 0
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/instance: haproxy-ingress
      app.kubernetes.io/name: haproxy-ingress
  strategy:
    rollingUpdate:
      maxUnavailable: 1
    type: RollingUpdate
  template:
    metadata:
      labels:
        app.kubernetes.io/instance: haproxy-ingress
        app.kubernetes.io/name: haproxy-ingress
    spec:
      automountServiceAccountToken: false
      containers:
      - args:
        - --configmap=haproxy-ingress/haproxy-ingress
        - --tcp-services-configmap=haproxy-ingress/tcp-ingress
        - --ingress-class=haproxy
        - --sort-backends
        env:
        - name: POD_NAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        image: quay.io/jcmoraisjr/haproxy-ingress:v0.14.2
        imagePullPolicy: Always
        name: haproxy-ingress
        ports:
        - containerPort: 80
          name: http
        - containerPort: 443
          name: https
        - containerPort: 10253
          name: healthz
        readinessProbe:
          failureThreshold: 3
          httpGet:
            path: /healthz
            port: 10253
            scheme: HTTP
          initialDelaySeconds: 10
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        resources:
          requests:
            cpu: 50m
            memory: 256Mi
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL
          readOnlyRootFilesystem: true
          runAsGroup: 65534
          runAsNonRoot: true
          runAsUser: 65534
        volumeMounts:
        - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
          name: serviceaccount-token
          readOnly: true
        - mountPath: /etc/haproxy
          name: haproxy-etc-dir
          readOnly: false
        - mountPath: /var/lib/haproxy
          name: haproxy-var-lib-dir
          readOnly: false
        - mountPath: /var/run/haproxy
          name: haproxy-var-run-dir
          readOnly: false
      dnsPolicy: ClusterFirst
      hostNetwork: false
      securityContext:
        seccompProfile:
          type: RuntimeDefault
      serviceAccountName: haproxy-ingress
      terminationGracePeriodSeconds: 60
      volumes:
      - name: serviceaccount-token
        projected:
          defaultMode: 292
          sources:
          - serviceAccountToken:
              expirationSeconds: 3607
              path: token
          - configMap:
              items:
              - key: ca.crt
                path: ca.crt
              name: kube-root-ca.crt
          - downwardAPI:
              items:
              - fieldRef:
                  apiVersion: v1
                  fieldPath: metadata.namespace
                path: namespace
      - emptyDir: {}
        name: haproxy-etc-dir
      - emptyDir: {}
        name: haproxy-var-lib-dir
      - emptyDir: {}
        name: haproxy-var-run-dir