Drop all capabilities for containers and add image pull policy (#903)

[comment]: # (Note that your PR title should follow the conventional
commit format: https://conventionalcommits.org/en/v1.0.0/#summary)
# PR Description

[comment]: # (The below checklist is for PRs adding new features. If a
box is not checked, add a reason why it's not needed.)
# New Feature Checklist

- [ ] List telemetry added about the feature.
- [ ] Link to the one-pager about the feature.
- [ ] List any tasks necessary for release (3P docs, AKS RP chart
changes, etc.) after merging the PR.
- [ ] Attach results of scale and perf testing.

[comment]: # (The below checklist is for code changes. Not all boxes
necessarily need to be checked. Build, doc, and template changes do not
need to fill out the checklist.)
# Tests Checklist

- [ ] Have end-to-end Ginkgo tests been run on your cluster and passed?
To bootstrap your cluster to run the tests, follow [these
instructions](/otelcollector/test/README.md#bootstrap-a-dev-cluster-to-run-ginkgo-tests).
  - Labels used when running the tests on your cluster:
    - [ ] `operator`
    - [ ] `windows`
    - [ ] `arm64`
    - [ ] `arc-extension`
    - [ ] `fips`
- [ ] Have new tests been added? For features, have tests been added for
this feature? For fixes, is there a test that could have caught this
issue and could validate that the fix works?
  - [ ] Is a new scrape job needed?
- [ ] The scrape job was added to the folder
[test-cluster-yamls](/otelcollector/test/test-cluster-yamls/) in the
correct configmap or as a CR.
  - [ ] Was a new test label added?
- [ ] A string constant for the label was added to
[constants.go](/otelcollector/test/utils/constants.go).
- [ ] The label and description was added to the [test
README](/otelcollector/test/README.md).
- [ ] The label was added to this [PR
checklist](/.github/pull_request_template).
- [ ] The label was added as needed to
[testkube-test-crs.yaml](/otelcollector/test/testkube/testkube-test-crs.yaml).
  - [ ] Are additional API server permissions needed for the new tests?
- [ ] These permissions have been added to
[api-server-permissions.yaml](/otelcollector/test/testkube/api-server-permissions.yaml).
  - [ ] Was a new test suite (a new folder under `/tests`) added?
- [ ] The new test suite is included in
[testkube-test-crs.yaml](/otelcollector/test/testkube/testkube-test-crs.yaml).

otelcollector/deploy/addon-chart/azure-monitor-metrics-addon/templates/ama-metrics-daemonset.yaml

@@ -139,6 +139,11 @@ spec:
               value: "{{ .Values.AzureMonitorMetrics.OpenTelemetryMetricsPort }}"
           securityContext:
             privileged: false
+            capabilities:
+              drop:
+                - ALL
+              add:
+                - DAC_OVERRIDE
           volumeMounts:
             - mountPath: /etc/config/settings
               name: settings-vol-config
@@ -152,9 +157,6 @@ spec:
             - name: host-log-containers
               readOnly: true
               mountPath: /var/log/containers
-            - name: host-log-pods
-              readOnly: true
-              mountPath: /var/log/pods
             - mountPath: /anchors/mariner
               name: anchors-mariner
               readOnly: true
@@ -248,7 +250,7 @@ spec:
         - operator: "Exists"
           effect: "NoExecute"
         - operator: "Exists"
-          effect: "PreferNoSchedule" 
+          effect: "PreferNoSchedule"
         {{- end }}
         - key: "node-role.kubernetes.io/control-plane"
           operator: "Exists"
@@ -284,9 +286,6 @@ spec:
         - name: host-log-containers
           hostPath:
             path: /var/log/containers
-        - name: host-log-pods
-          hostPath:
-            path: /var/log/pods
         - name: anchors-mariner
           hostPath:
             path: /etc/pki/ca-trust/anchors/
@@ -412,6 +411,11 @@ spec:
               value: "{{ .Values.AzureMonitorMetrics.OpenTelemetryMetricsPort }}"
           securityContext:
             privileged: false
+            capabilities:
+              drop:
+                - ALL
+              add:
+                - DAC_OVERRIDE
           volumeMounts:
             - mountPath: /etc/config/settings
               name: settings-vol-config
@@ -425,9 +429,6 @@ spec:
             - name: host-log-containers
               readOnly: true
               mountPath: /var/log/containers
-            - name: host-log-pods
-              readOnly: true
-              mountPath: /var/log/pods
           livenessProbe:
             exec:
               command:
@@ -447,7 +448,7 @@ spec:
            - --token-server-listening-port=7777
            - --health-server-listening-port=9999
           image: "mcr.microsoft.com{{ .Values.AzureMonitorMetrics.AddonTokenAdapter.ImageRepositoryWin }}:{{ .Values.AzureMonitorMetrics.AddonTokenAdapter.ImageTagWin }}"
-          imagePullPolicy: Always
+          imagePullPolicy: IfNotPresent
           livenessProbe:
            httpGet:
              path: /healthz
@@ -461,9 +462,11 @@ spec:
              cpu: 100m
              memory: 100Mi
           securityContext:
-           capabilities:
-             add:
-               - NET_ADMIN
+            capabilities:
+              drop:
+                - ALL
+              add:
+                - NET_ADMIN
       affinity:
         nodeAffinity:
           requiredDuringSchedulingIgnoredDuringExecution:
@@ -501,7 +504,4 @@ spec:
           secret:
             secretName: ama-metrics-mtls-secret
             optional: true
-        - name: host-log-pods
-          hostPath:
-            path: /var/log/pods
 {{- end }}

otelcollector/deploy/addon-chart/azure-monitor-metrics-addon/templates/ama-metrics-deployment.yaml

@@ -163,6 +163,11 @@ spec:
               value: "true" # only supported value is the string "true"
           securityContext:
             privileged: false
+            capabilities:
+              drop:
+                - ALL
+              add:
+                - DAC_OVERRIDE
           volumeMounts:
             - mountPath: /etc/config/settings
               name: settings-vol-config
@@ -176,9 +181,6 @@ spec:
             - name: host-log-containers
               readOnly: true
               mountPath: /var/log/containers
-            - name: host-log-pods
-              readOnly: true
-              mountPath: /var/log/pods
             - mountPath: /anchors/mariner
               name: anchors-mariner
               readOnly: true
@@ -320,9 +322,6 @@ spec:
         - name: host-log-containers
           hostPath:
             path: /var/log/containers
-        - name: host-log-pods
-          hostPath:
-            path: /var/log/pods
         - name: anchors-mariner
           hostPath:
             path: /etc/pki/ca-trust/anchors/

otelcollector/deploy/addon-chart/azure-monitor-metrics-addon/templates/ama-metrics-ksm-deployment.yaml

@@ -75,6 +75,10 @@ spec:
           requests:
             cpu: 5m
             memory: 50Mi
+        securityContext:
+          capabilities:
+            drop:
+              - ALL
         ports:
         - containerPort: 8080
           name: "http"

otelcollector/deploy/addon-chart/azure-monitor-metrics-addon/templates/ama-metrics-targetallocator.yaml

@@ -64,6 +64,10 @@ spec:
           value: {{ .Values.AzureMonitorMetrics.ImageTagTargetAllocator }}
         terminationMessagePath: /dev/termination-log
         terminationMessagePolicy: File
+        securityContext:
+          capabilities:
+            drop:
+              - ALL
         volumeMounts:
         - mountPath: /conf
           name: ta-config-shared
@@ -154,6 +158,10 @@ spec:
             readOnly: true
           - mountPath: /ta-configuration
             name: ta-config-shared
+        securityContext:
+          capabilities:
+            drop:
+              - ALL
         livenessProbe:
           exec:
             command:
@@ -167,7 +175,6 @@ spec:
       dnsPolicy: ClusterFirst
       restartPolicy: Always
       schedulerName: default-scheduler
-      securityContext: {}
       serviceAccount: ama-metrics-serviceaccount
       serviceAccountName: ama-metrics-serviceaccount
       terminationGracePeriodSeconds: 30