fix(reflector): restricted pod-security

kube/deploy/core/secrets/reflector/app/hr.yaml

@@ -20,4 +20,17 @@ spec:
     priorityClassName: "system-cluster-critical"
     tolerations:
       - key: "node-role.kubernetes.io/control-plane"
-        operator: "Exists"
+        operator: "Exists"
+    # restricted PSS
+    podSecurityContext:
+      runAsNonRoot: true
+      runAsUser: &uid ${APP_UID_REFLECTOR:=1000}
+      runAsGroup: *uid
+      fsGroup: *uid
+      fsGroupChangePolicy: "Always"
+      seccompProfile: { type: "RuntimeDefault" }
+    securityContext:
+      readOnlyRootFilesystem: true
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop: ["ALL"]

kube/deploy/core/secrets/reflector/ks.yaml

@@ -6,9 +6,11 @@ metadata:
   namespace: flux-system
   labels: &l
     app.kubernetes.io/name: "reflector"
+    wait.flux.home.arpa/disabled: "true"
 spec:
   commonMetadata:
     labels: *l
   path: ./kube/deploy/core/secrets/reflector/app
   targetNamespace: "reflector"
+  wait: false
   dependsOn: []