feat: add PSA restricted compliance — securityContext, remove SYS_PTRACE

[will-corrigan]

Description

Adds configurable pod-level and container-level securityContext to all Hatchet deployments and jobs. Removes SYS_PTRACE capability and shareProcessNamespace from setup jobs as they are not required by the codebase.

Defaults are backward-compatible — existing deployments are unaffected. Users can opt into stricter security by overriding values.

Type of change

• New feature (non-breaking change which adds functionality)

What's Changed

• New podSecurityContext and containerSecurityContext values for all charts (hatchet-api, hatchet-frontend)
• Applied to deployments (api, engine, frontend) and jobs (setup, worker-token)
• Safe defaults applied immediately: allowPrivilegeEscalation: false, capabilities.drop: [ALL], seccompProfile: RuntimeDefault
• Non-root is opt-in: runAsNonRoot defaults to false for backward compatibility
• Removed SYS_PTRACE capability from all 4 setup job containers
• Removed shareProcessNamespace: true from both job pod specs

Companion PR

hatchet-dev/hatchet#3356 creates a non-root user (UID 1000) in the Docker images. Together, users can run Hatchet fully non-root by setting:

podSecurityContext:
  runAsNonRoot: true
  runAsUser: 1000
  fsGroup: 1000

containerSecurityContext:
  runAsNonRoot: true
  readOnlyRootFilesystem: true

This enables Kubernetes Pod Security Standards restricted profile compliance.