Uses Kustomize to switch to nonroot image + fs, replacing #307

nonroot/fsgroup-65534.yaml

@@ -0,0 +1,4 @@
+- op: add
+  path: /spec/template/spec/securityContext
+  value:
+    fsGroup: 65534

nonroot/kustomization.yaml

@@ -0,0 +1,27 @@
+bases:
+- ../rbac-namespace-default
+- ../kafka
+- ../zookeeper
+patchesJson6902:
+- target:
+    group: apps
+    version: v1
+    kind: StatefulSet
+    name: kafka
+  path: fsgroup-65534.yaml
+- target:
+    group: apps
+    version: v1
+    kind: StatefulSet
+    name: pzoo
+  path: fsgroup-65534.yaml
+- target:
+    group: apps
+    version: v1
+    kind: StatefulSet
+    name: zoo
+  path: fsgroup-65534.yaml
+# https://github.com/kubernetes-sigs/kustomize/issues/915#issuecomment-477808963
+patchesStrategicMerge:
+- nonroot-image-kafka.yaml
+- nonroot-image-zookeeper.yaml

nonroot/nonroot-image-kafka.yaml

@@ -0,0 +1,10 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: kafka
+spec:
+  template:
+    spec:
+      containers:
+      - name: broker
+        image: solsson/kafka:nonroot-latest@sha256:c904e2dc2b432491f298b90e2b603447bc2e16d9675fda6b4a9ec1b8d4169c3f

nonroot/nonroot-image-zookeeper.yaml

@@ -0,0 +1,21 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: pzoo
+spec:
+  template:
+    spec:
+      containers:
+      - name: zookeeper
+        image: solsson/kafka:nonroot-latest@sha256:c904e2dc2b432491f298b90e2b603447bc2e16d9675fda6b4a9ec1b8d4169c3f
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: zoo
+spec:
+  template:
+    spec:
+      containers:
+      - name: zookeeper
+        image: solsson/kafka:nonroot-latest@sha256:c904e2dc2b432491f298b90e2b603447bc2e16d9675fda6b4a9ec1b8d4169c3f