[RayOperator]: hardening kuberay operator security context

[LilyLinh]

Adds security hardening settings to ray-operator/config/manager/manager.yaml to align with the Helm chart defaults and Kubernetes Pod Security Standards.

##Changes:

• Add capabilities.drop: [ALL]
• Add readOnlyRootFilesystem: true

Why?

The Helm chart (helm-chart/kuberay-operator/values.yaml) already includes these security settings by default. This PR ensures consistency between kustomize and Helm deployments.

These settings follow:

• Kubernetes Pod Security Standards (restricted profile)
• OpenShift Security Context Constraints (restricted-v2 SCC)

Testing

• Helm unit tests pass (39 tests)
• E2E tests pass (core functionality)
• Verified on local Kind cluster
• Verified security context applied correctly

[andrewsykim]

@vinayakankugoyal would appreciate your review on this

[Future-Outlier]

thank you, cc @rueian for merge

[Future-Outlier]

cc @AndySung320 @justinyeh1995 @400Ping for review if you are interested

[justinyeh1995]

I tested this on a fresh kind cluster

kind create cluster --name kuberay-test-pr4243 --image=kindest/node:v1.26.0
kubectl create -k ray-operator/config/default
kubectl get deploy kuberay-operator -o yaml | yq '.spec.template.spec.containers[0].securityContext'

The kuberay-operator Deployment’s container now has the hardened securityContext

{
  "allowPrivilegeEscalation": false,
  "capabilities": {
    "drop": [
      "ALL"
    ]
  },
  "readOnlyRootFilesystem": true,
  "seccompProfile": {
    "type": "RuntimeDefault"
  }
}

The operator works fine, and I also applied a sample RayCluster to confirm that reconciliation proceeds normally.

Looks good to me.

[400Ping]

Tested locally as well, LGTM.

[AndySung320]

LGTM, thanks for the clarification.
Good to know the official operator image is already distroless and compatible with the hardened security context.