Run stack support diagnostics pod with more restrictive security context. (#351)

All we need is to call HTTP APIs

Author: pebrc

internal/job.tpl.yml

@@ -13,8 +13,14 @@ spec:
       image: {{ .DiagnosticImage }}
       imagePullPolicy: IfNotPresent
       securityContext:
-        runAsUser: 1000
+        runAsNonRoot: true
         allowPrivilegeEscalation: false
+        capabilities:
+          drop:
+            - ALL
+        readOnlyRootFilesystem: true
+        seccompProfile:
+          type: RuntimeDefault
       {{ if (and .ESSecretName .ESSecretKey) }}
       env:
         - name: ES_PW