[POLICY] Fix Kyverno Policy violations

- Add "archive" folder for removed policy-gui charts
- Update all deployments/jobs to fix policies
- Correct KafkaUser definition to avoid deprecated attribute
- update xacml-pdp deployment to work with readOnlyFilesystem setting

Issue-ID: OOM-3307

Change-Id: I579062c1c49923666c1d836f7324c8bbd7b88695
Signed-off-by: Andreas Geissler <andreas-geissler@telekom.de>
diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/Chart.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/Chart.yaml
index f860393..4460c18 100644
--- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/Chart.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/Chart.yaml
@@ -1,5 +1,6 @@
 #  ============LICENSE_START=======================================================
 #   Copyright (C) 2021-2022, 2024 Nordix Foundation.
+#   Modifications Copyright © 2024 Deutsche Telekom
 #  ================================================================================
 #  Licensed under the Apache License, Version 2.0 (the "License");
 #  you may not use this file except in compliance with the License.
@@ -19,7 +20,7 @@
 apiVersion: v2
 description: ONAP Policy Clamp Controlloop Policy Participant
 name: policy-clamp-ac-pf-ppnt
-version: 14.0.0
+version: 14.0.1
 
 dependencies:
   - name: common
diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/resources/config/PolicyParticipantParameters.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/resources/config/PolicyParticipantParameters.yaml
index 1cd4ba3..729a455 100644
--- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/resources/config/PolicyParticipantParameters.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/resources/config/PolicyParticipantParameters.yaml
@@ -98,4 +98,3 @@
     context-path: /onap/policyparticipant
   ssl:
     enabled: false
-
diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/authorizationpolicy.yaml
index 7158c02..5a9baa8 100644
--- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/authorizationpolicy.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/authorizationpolicy.yaml
@@ -14,4 +14,4 @@
 # limitations under the License.
 */}}
 
-{{ include "common.authorizationPolicy" . }}
\ No newline at end of file
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/deployment.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/deployment.yaml
index 9026309..c29dca9 100644
--- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/deployment.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/deployment.yaml
@@ -1,6 +1,7 @@
 {{/*
 #  ============LICENSE_START=======================================================
 #   Copyright (C) 2021-2023 Nordix Foundation.
+#   Modifications Copyright © 2024 Deutsche Telekom
 #  ================================================================================
 #  Licensed under the Apache License, Version 2.0 (the "License");
 #  you may not use this file except in compliance with the License.
@@ -27,6 +28,7 @@
   template:
     metadata: {{- include "common.templateMetadata" . | nindent 6 }}
     spec:
+      {{ include "common.podSecurityContext" . | indent 6 | trim }}
       initContainers:
       - command:
         - sh
@@ -58,9 +60,11 @@
           name: ac-pf-ppnt-config-processed
         image: {{ include "repositoryGenerator.image.envsubst" . }}
         imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+        {{ include "common.containerSecurityContext" . | indent 8 | trim }}
         name: {{ include "common.name" . }}-update-config
       containers:
         - name: {{ include "common.name" . }}
+          {{ include "common.containerSecurityContext" . | indent 10 | trim }}
           image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
           imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
           command: ["/opt/app/policy/clamp/bin/policy-participant.sh"]
@@ -83,6 +87,14 @@
           volumeMounts:
           - mountPath: /opt/app/policy/clamp/etc/mounted
             name: ac-pf-ppnt-config-processed
+          - name: logs
+            mountPath: /var/log/onap
+          - name: empty-dir
+            mountPath: /tmp
+            subPath: tmp-dir
+          - mountPath: /opt/app/policy/clamp/etc/logback.xml
+            subPath: logback.xml
+            name: ac-pf-ppnt-config-processed
           resources: {{ include "common.resources" . | nindent 12 }}
         {{- if .Values.nodeSelector }}
         nodeSelector:
@@ -101,4 +113,11 @@
         - name: ac-pf-ppnt-config-processed
           emptyDir:
             medium: Memory
+            sizeLimit: 64Mi
+        - name: empty-dir
+          emptyDir:
+            sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }}
+        - name: logs
+          emptyDir:
+            sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }}
       {{- include "common.imagePullSecrets" . | nindent 6 }}
diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/service.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/service.yaml
index e676ff1..be2449f 100644
--- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/service.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/service.yaml
@@ -1,21 +1,21 @@
-{{/*

-#  ============LICENSE_START=======================================================

-#   Copyright (C) 2021 Nordix Foundation. All rights reserved.

-#  ================================================================================

-#  Licensed under the Apache License, Version 2.0 (the "License");

-#  you may not use this file except in compliance with the License.

-#  You may obtain a copy of the License at

-#

-#       http://www.apache.org/licenses/LICENSE-2.0

-#

-#  Unless required by applicable law or agreed to in writing, software

-#  distributed under the License is distributed on an "AS IS" BASIS,

-#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

-#  See the License for the specific language governing permissions and

-#  limitations under the License.

-#

-#  SPDX-License-Identifier: Apache-2.0

-#  ============LICENSE_END=========================================================

-*/}}

-

-{{ include "common.service" . }}

+{{/*
+#  ============LICENSE_START=======================================================
+#   Copyright (C) 2021 Nordix Foundation. All rights reserved.
+#  ================================================================================
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+#
+#  SPDX-License-Identifier: Apache-2.0
+#  ============LICENSE_END=========================================================
+*/}}
+
+{{ include "common.service" . }}
diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/values.yaml
index 2112f25..97bebd0 100644
--- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/values.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/values.yaml
@@ -1,5 +1,6 @@
 #  ============LICENSE_START=======================================================
 #   Copyright (C) 2021-2023 Nordix Foundation.
+#   Modifications Copyright © 2024 Deutsche Telekom
 #  ================================================================================
 #  Licensed under the Apache License, Version 2.0 (the "License");
 #  you may not use this file except in compliance with the License.
@@ -127,6 +128,17 @@
       cpu: "1"
       memory: "2Gi"
   unlimited: {}
+
+securityContext:
+  user_id: 100
+  group_id: 102
+
+dirSizes:
+  emptyDir:
+    sizeLimit: 1Gi
+  logDir:
+    sizeLimit: 500Mi
+
 #Pods Service Account
 serviceAccount:
   nameOverride: *componentName