K8SPG-613: fix cr.yaml (#1185)

https://perconadev.atlassian.net/browse/K8SPG-613

Co-authored-by: Viacheslav Sarzhan <[email protected]>

Author: pooknull

deploy/cr.yaml

@@ -17,24 +17,25 @@ spec:
 #        cpu: 2.0
 #        memory: 4Gi
 #    containerSecurityContext:
-#      fsGroup: 1001
 #      runAsUser: 1001
-#      runAsNonRoot: true
-#      fsGroupChangePolicy: "OnRootMismatch"
 #      runAsGroup: 1001
-#      seLinuxOptions:
-#        type: spc_t
-#        level: s0:c123,c456
+#      runAsNonRoot: true
+#      privileged: false
+#      allowPrivilegeEscalation: false
+#      readOnlyRootFilesystem: true
+#      capabilities:
+#        add:
+#          - NET_ADMIN
+#          - SYS_TIME
+#        drop:
+#          - ALL
 #      seccompProfile:
 #        type: Localhost
 #        localhostProfile: localhost/profile.json
-#      supplementalGroups:
-#      - 1001
-#      sysctls:
-#      - name: net.ipv4.tcp_keepalive_time
-#        value: "600"
-#      - name: net.ipv4.tcp_keepalive_intvl
-#        value: "60"
+#      procMount: Default
+#      seLinuxOptions:
+#        type: spc_t
+#        level: s0:c123,c456
 #  metadata:
 #    annotations:
 #      example-annotation: value
@@ -182,24 +183,25 @@ spec:
 #          cpu: 2.0
 #          memory: 4Gi
 #      containerSecurityContext:
-#        fsGroup: 1001
 #        runAsUser: 1001
-#        runAsNonRoot: true
-#        fsGroupChangePolicy: "OnRootMismatch"
 #        runAsGroup: 1001
-#        seLinuxOptions:
-#          type: spc_t
-#          level: s0:c123,c456
+#        runAsNonRoot: true
+#        privileged: false
+#        allowPrivilegeEscalation: false
+#        readOnlyRootFilesystem: true
+#        capabilities:
+#          add:
+#            - NET_ADMIN
+#            - SYS_TIME
+#          drop:
+#            - ALL
 #        seccompProfile:
 #          type: Localhost
 #          localhostProfile: localhost/profile.json
-#        supplementalGroups:
-#        - 1001
-#        sysctls:
-#        - name: net.ipv4.tcp_keepalive_time
-#          value: "600"
-#        - name: net.ipv4.tcp_keepalive_intvl
-#          value: "60"
+#        procMount: Default
+#        seLinuxOptions:
+#          type: spc_t
+#          level: s0:c123,c456
 
     affinity:
       podAntiAffinity:
@@ -385,24 +387,25 @@ spec:
 #            cpu: 2.0
 #            memory: 4Gi
 #        containerSecurityContext:
-#          fsGroup: 1001
 #          runAsUser: 1001
-#          runAsNonRoot: true
-#          fsGroupChangePolicy: "OnRootMismatch"
 #          runAsGroup: 1001
-#          seLinuxOptions:
-#            type: spc_t
-#            level: s0:c123,c456
+#          runAsNonRoot: true
+#          privileged: false
+#          allowPrivilegeEscalation: false
+#          readOnlyRootFilesystem: true
+#          capabilities:
+#            add:
+#              - NET_ADMIN
+#              - SYS_TIME
+#            drop:
+#              - ALL
 #          seccompProfile:
 #            type: Localhost
 #            localhostProfile: localhost/profile.json
-#          supplementalGroups:
-#          - 1001
-#          sysctls:
-#          - name: net.ipv4.tcp_keepalive_time
-#            value: "600"
-#          - name: net.ipv4.tcp_keepalive_intvl
-#            value: "60"
+#          procMount: Default
+#          seLinuxOptions:
+#            type: spc_t
+#            level: s0:c123,c456
 #      containers:
 #        pgbackrest:
 #          resources: