feat: drop all capabilities by default, remove restricted security settings in OpenShift installations

[GrigoryPervakov]

Why

Defaulted capabilities are not needed in most cases and won't fit the hardened environments.
OpenShift has stricter security requirements, while some settings have injected defaults that behave as ClickHouse requires

What

• Replace the default capabilities with drop: ["ALL"]
• Unset UID/GUID/FSUID in OpenShift environments
• Add e2e test against MicroShift

Related Issues

Related to #180

[Copilot]

Pull request overview

This PR hardens the operator’s default pod/container security contexts by dropping all Linux capabilities by default and adjusting defaults to better fit OpenShift’s restricted SCC behavior, while adding CI coverage via a MicroShift e2e job.

Changes:

• Introduces platform detection (OpenShift vs vanilla Kubernetes) and uses it to omit UID/GID/FSGroup defaults on OpenShift.
• Changes default container security context to capabilities.drop: ["ALL"] plus allowPrivilegeEscalation=false and seccomp=RuntimeDefault.
• Adds a MicroShift-based CI job and updates deploy tests to support skipping Kind image loading and to simplify operator-sdk path detection.

Reviewed changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
test/deploy/deploy_test.go	Adds SKIP_OPERATOR_IMAGE_LOAD path and simplifies operator-sdk path parsing for MicroShift CI.
internal/controllerutil/openshift.go	Adds OpenShift detection (via discovery of security.openshift.io/v1) and test override hook.
internal/controller/securitycontext.go	Centralizes default PodSecurityContext/Container SecurityContext, with OpenShift-specific behavior.
internal/controller/securitycontext_test.go	Adds unit tests validating new default security context behavior (vanilla vs OpenShift).
internal/controller/keeper/templates.go	Switches Keeper pod/container defaults to the new shared security context helpers.
internal/controller/keeper/controller_test.go	Updates assertions to match the new security context override behavior.
internal/controller/clickhouse/templates.go	Switches ClickHouse pod/container defaults to the new shared security context helpers.
internal/controller/clickhouse/templates_test.go	Adds tests ensuring pod UID/GID/FSGroup defaults differ on OpenShift vs vanilla.
internal/controller/clickhouse/controller_test.go	Updates assertions to match the new security context override behavior.
cmd/main.go	Calls OpenShift detection at startup and logs the detected platform.
.github/workflows/ci.yaml	Adds a MicroShift e2e job and wires it into the overall CI success/reporting gates.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.