Merge branch 'flux-policies' into 'master'

Update flux pod spec for best practices.

See merge request platform-one/big-bang/bigbang!596

.gitlab-ci.yml

@@ -76,6 +76,7 @@ pre vars:
     - .gitlab-ci/jobs/**/*
     - scripts/**/*
     - tests/**/*
+    - base/flux/*
 
 .deploy_bigbang: &deploy_bigbang
   - |

base/flux/kustomization.yaml

@@ -27,6 +27,25 @@ patches:
         name: whatever
       spec:
         template:
+          metadata:
+            annotations:
+              # Required by Kubernetes node autoscaler
+              cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
           spec:
             imagePullSecrets:
             - name: private-registry
+            terminationGracePeriodSeconds: 60
+            # Required by Pod Security Policy
+            securityContext:
+              runAsUser: 10000
+              fsGroup: 1337
+            containers:
+              - name: manager
+                # Required by Pod Security Policy
+                securityContext:
+                  readOnlyRootFilesystem: true
+                  allowPrivilegeEscalation: false
+                  runAsNonRoot: true
+                  capabilities:
+                    drop:
+                      - ALL