ToolHive Operator: Set ProxyRunner SecurityContext

## Description

As mentioned in [this comment](https://github.com/stacklok/toolhive/pull/1253#discussion_r2254715861), we should set the `securityContext` for the [ProxyRunner](https://github.com/stacklok/toolhive/blob/main/cmd/thv-operator/controllers/mcpserver_controller.go#L562) like we do with the individual MCPServers [pods](https://github.com/stacklok/toolhive/blob/main/pkg/container/kubernetes/client.go#L917) and [containers](https://github.com/stacklok/toolhive/blob/main/pkg/container/kubernetes/client.go#L996) themselves.

## Change Proposal

For the ProxyRunner, we should implement the following `securityContext` configuration:
- `pod`:
    - `runAsNonRoot: true`
    - `runAsUser: 1000`
    - `runAsGroup: 1000`
    - `fsGroup: 1000`
- `container`:
    - `priviledged: false`
    - `runAsNonRoot: true`
    - `runAsUser: 1000`
    - `runAsGroup: 1000`
    - `allowPrivilegeEscalation: false`
    - `readOnlyFileSystem: true`


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

ToolHive Operator: Set ProxyRunner SecurityContext #1285

Description

Change Proposal

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

ToolHive Operator: Set ProxyRunner SecurityContext #1285

Description

Description

Change Proposal

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions