Add a default `securityContext` policy
Feature Request
Why
Big Bang ships with Kyverno policies that forbid workloads to launch without a securityContext or with
a privileged securityContext when the workload is not present in an allowlist. This is useful and beneficial from
a security standpoint, but it can cause issues with packages when the upstream doesn't expose the ability to set
securityContext on the package's workloads, forcing Big Bang developers to modify and continually re-integrate
changes to the upstream's templates and values. Some examples just from the observability team's packages:
Proposed Solution
In addition to admission webhooks, Kyverno also offers mutating webhooks and can be leveraged to "inject"
securityContexts into workload specs at Pod creation. By shifting the responsiblity to Kyverno to set a
default securityContext if one isn't explicitly defined, Big Bang package maintainers can comfortably
re-use more upstream chart elements without any downstream modification, aiding maintenance velocity for those
packages.
Kyverno has an example policy that would serve as a good starting point for this enhancement.