14 KiB
title
| title |
|---|
| Security Context |
:::note
- Examples under each key are only to be used as a placement guide
- See the Full Examples section for complete examples.
:::
Appears in
.Values.workload.$name.podSpec.containers.$name.Values.workload.$name.podSpec.initContainers.$name
securityContext
Define securityContext for the container
| Key | workload.$name.podSpec.containers.$name.securityContext |
| Type | map |
| Required | ✅ |
Helm tpl |
❌ |
| Default | See here |
Example
workload:
workload-name:
podSpec:
containers:
container-name:
securityContext: {}
securityContext.runAsUser
Define the runAsUser for the container
| Key | workload.$name.podSpec.containers.$name.securityContext.runAsUser |
| Type | int |
| Required | ✅ |
Helm tpl |
❌ |
| Default | See here |
Example
workload:
workload-name:
podSpec:
containers:
container-name:
securityContext:
runAsUser: 568
securityContext.runAsGroup
Define the runAsGroup for the container
| Key | workload.$name.podSpec.containers.$name.securityContext.runAsGroup |
| Type | int |
| Required | ✅ |
Helm tpl |
❌ |
| Default | See here |
Example
workload:
workload-name:
podSpec:
containers:
container-name:
securityContext:
runAsGroup: 568
securityContext.readOnlyRootFilesystem
Define the readOnlyRootFilesystem for the container
| Key | workload.$name.podSpec.containers.$name.securityContext.readOnlyRootFilesystem |
| Type | bool |
| Required | ✅ |
Helm tpl |
❌ |
| Default | See here |
Example
workload:
workload-name:
podSpec:
containers:
container-name:
securityContext:
readOnlyRootFilesystem: true
securityContext.allowPrivilegeEscalation
Define the allowPrivilegeEscalation for the container
| Key | workload.$name.podSpec.containers.$name.securityContext.allowPrivilegeEscalation |
| Type | bool |
| Required | ✅ |
Helm tpl |
❌ |
| Default | See here |
Example
workload:
workload-name:
podSpec:
containers:
container-name:
securityContext:
allowPrivilegeEscalation: false
securityContext.privileged
Define the privileged for the container
| Key | workload.$name.podSpec.containers.$name.securityContext.privileged |
| Type | bool |
| Required | ✅ |
Helm tpl |
❌ |
| Default | See here |
Example
workload:
workload-name:
podSpec:
containers:
container-name:
securityContext:
privileged: false
securityContext.runAsNonRoot
Define the runAsNonRoot for the container
| Key | workload.$name.podSpec.containers.$name.securityContext.runAsNonRoot |
| Type | bool |
| Required | ✅ |
Helm tpl |
❌ |
| Default | See here |
Example
workload:
workload-name:
podSpec:
containers:
container-name:
securityContext:
runAsNonRoot: true
securityContext.capabilities
Define the capabilities for the container
:::note
If at least one capability is defined in either add or drop
on container level, it will NOT get merged with the value(s) from the .Values.securityContext.container.capabilities.[add/drop].
But it will override them.
:::
:::tip
When setting capabilities for containers, remember to NOT include CAP_ prefix.
For example, CAP_NET_ADMIN should be NET_ADMIN. This is not specific to this chart,
but a general Kubernetes thing.
:::
| Key | workload.$name.podSpec.containers.$name.securityContext.capabilities |
| Type | map |
| Required | ✅ |
Helm tpl |
❌ |
| Default | See here |
Example
workload:
workload-name:
podSpec:
containers:
container-name:
securityContext:
capabilities: {}
securityContext.capabilities.add
Define the capabilities.add for the container
| Key | workload.$name.podSpec.containers.$name.securityContext.capabilities.add |
| Type | list of string |
| Required | ✅ |
Helm tpl |
❌ |
| Default | See here |
Example
workload:
workload-name:
podSpec:
containers:
container-name:
securityContext:
capabilities:
add: []
securityContext.capabilities.drop
Define the capabilities.drop for the container
| Key | workload.$name.podSpec.containers.$name.securityContext.capabilities.drop |
| Type | list of string |
| Required | ✅ |
Helm tpl |
❌ |
| Default | See here |
Example
workload:
workload-name:
podSpec:
containers:
container-name:
securityContext:
capabilities:
drop: []
securityContext.seccompProfile
Define the seccompProfile for the container
| Key | workload.$name.podSpec.containers.$name.securityContext.seccompProfile |
| Type | map |
| Required | ✅ |
Helm tpl |
❌ |
| Default | See here |
Example
workload:
workload-name:
podSpec:
containers:
container-name:
securityContext:
seccompProfile: {}
securityContext.seccompProfile.type
Define the seccompProfile.type for the container
| Key | workload.$name.podSpec.containers.$name.securityContext.seccompProfile.type |
| Type | string |
| Required | ✅ |
Helm tpl |
❌ |
| Default | See here |
Valid Values:
RuntimeDefaultLocalhostUnconfined
Example
workload:
workload-name:
podSpec:
containers:
container-name:
securityContext:
seccompProfile:
type: Localhost
securityContext.seccompProfile.profile
Define the seccompProfile.profile for the container
:::note
Only required when securityContext.seccompProfile.type is Localhost.
:::
| Key | workload.$name.podSpec.containers.$name.securityContext.seccompProfile.profile |
| Type | string |
| Required | ✅ |
Helm tpl |
❌ |
| Default | See here |
Example
workload:
workload-name:
podSpec:
containers:
container-name:
securityContext:
seccompProfile:
type: Localhost
profile: path/to/profile.json
Full Examples
workload:
workload-name:
enabled: true
primary: true
podSpec:
containers:
container-name:
enabled: true
primary: true
securityContext:
runAsNonRoot: true
runAsUser: 568
runAsGroup: 568
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
privileged: false
seccompProfile:
type: Localhost
profile: path/to/profile.json
capabilities:
add: []
drop:
- ALL