Files
Kjeld Schouten 899cfb71b3 add common docs
2025-10-15 15:11:59 +02:00

416 lines
14 KiB
Markdown

---
title: Security Context
---
:::note
- Examples under each key are only to be used as a placement guide
- See the [Full Examples](/truecharts-common/container/securitycontext#full-examples) section for complete examples.
:::
## Appears in
- `.Values.workload.$name.podSpec.containers.$name`
- `.Values.workload.$name.podSpec.initContainers.$name`
---
## `securityContext`
Define securityContext for the container
| | |
| ---------- | -------------------------------------------------------------------- |
| Key | `workload.$name.podSpec.containers.$name.securityContext` |
| Type | `map` |
| Required | ✅ |
| Helm `tpl` | ❌ |
| Default | See [here](/truecharts-common/securitycontext#securitycontextcontainer) |
Example
```yaml
workload:
workload-name:
podSpec:
containers:
container-name:
securityContext: {}
```
---
### `securityContext.runAsUser`
Define the runAsUser for the container
| | |
| ---------- | ----------------------------------------------------------------------------- |
| Key | `workload.$name.podSpec.containers.$name.securityContext.runAsUser` |
| Type | `int` |
| Required | ✅ |
| Helm `tpl` | ❌ |
| Default | See [here](/truecharts-common/securitycontext#securitycontextcontainerrunasuser) |
Example
```yaml
workload:
workload-name:
podSpec:
containers:
container-name:
securityContext:
runAsUser: 568
```
---
### `securityContext.runAsGroup`
Define the runAsGroup for the container
| | |
| ---------- | ------------------------------------------------------------------------------ |
| Key | `workload.$name.podSpec.containers.$name.securityContext.runAsGroup` |
| Type | `int` |
| Required | ✅ |
| Helm `tpl` | ❌ |
| Default | See [here](/truecharts-common/securitycontext#securitycontextcontainerrunasgroup) |
Example
```yaml
workload:
workload-name:
podSpec:
containers:
container-name:
securityContext:
runAsGroup: 568
```
---
### `securityContext.readOnlyRootFilesystem`
Define the readOnlyRootFilesystem for the container
| | |
| ---------- | ------------------------------------------------------------------------------------------ |
| Key | `workload.$name.podSpec.containers.$name.securityContext.readOnlyRootFilesystem` |
| Type | `bool` |
| Required | ✅ |
| Helm `tpl` | ❌ |
| Default | See [here](/truecharts-common/securitycontext#securitycontextcontainerreadonlyrootfilesystem) |
Example
```yaml
workload:
workload-name:
podSpec:
containers:
container-name:
securityContext:
readOnlyRootFilesystem: true
```
---
### `securityContext.allowPrivilegeEscalation`
Define the allowPrivilegeEscalation for the container
| | |
| ---------- | -------------------------------------------------------------------------------------------- |
| Key | `workload.$name.podSpec.containers.$name.securityContext.allowPrivilegeEscalation` |
| Type | `bool` |
| Required | ✅ |
| Helm `tpl` | ❌ |
| Default | See [here](/truecharts-common/securitycontext#securitycontextcontainerallowprivilegeescalation) |
Example
```yaml
workload:
workload-name:
podSpec:
containers:
container-name:
securityContext:
allowPrivilegeEscalation: false
```
---
### `securityContext.privileged`
Define the privileged for the container
| | |
| ---------- | ------------------------------------------------------------------------------ |
| Key | `workload.$name.podSpec.containers.$name.securityContext.privileged` |
| Type | `bool` |
| Required | ✅ |
| Helm `tpl` | ❌ |
| Default | See [here](/truecharts-common/securitycontext#securitycontextcontainerprivileged) |
Example
```yaml
workload:
workload-name:
podSpec:
containers:
container-name:
securityContext:
privileged: false
```
---
### `securityContext.runAsNonRoot`
Define the runAsNonRoot for the container
| | |
| ---------- | -------------------------------------------------------------------------------- |
| Key | `workload.$name.podSpec.containers.$name.securityContext.runAsNonRoot` |
| Type | `bool` |
| Required | ✅ |
| Helm `tpl` | ❌ |
| Default | See [here](/truecharts-common/securitycontext#securitycontextcontainerrunasnonroot) |
Example
```yaml
workload:
workload-name:
podSpec:
containers:
container-name:
securityContext:
runAsNonRoot: true
```
---
### `securityContext.capabilities`
Define the capabilities for the container
:::note
If at least one capability is defined in either [`add`](/truecharts-common/container/securitycontext/#securitycontextcapabilitiesadd) or [`drop`](/truecharts-common/container/securitycontext/#securitycontextcapabilitiesdrop)
on container level, it will **NOT** get merged with the value(s) from the `.Values.securityContext.container.capabilities.[add/drop]`.
But it will override them.
:::
:::tip
When setting capabilities for containers, remember to **NOT** include `CAP_` prefix.
For example, `CAP_NET_ADMIN` should be `NET_ADMIN`. This is not specific to this chart,
but a general Kubernetes thing.
:::
| | |
| ---------- | -------------------------------------------------------------------------------- |
| Key | `workload.$name.podSpec.containers.$name.securityContext.capabilities` |
| Type | `map` |
| Required | ✅ |
| Helm `tpl` | ❌ |
| Default | See [here](/truecharts-common/securitycontext#securitycontextcontainercapabilities) |
Example
```yaml
workload:
workload-name:
podSpec:
containers:
container-name:
securityContext:
capabilities: {}
```
---
#### `securityContext.capabilities.add`
Define the capabilities.add for the container
| | |
| ---------- | ----------------------------------------------------------------------------------- |
| Key | `workload.$name.podSpec.containers.$name.securityContext.capabilities.add` |
| Type | `list` of `string` |
| Required | ✅ |
| Helm `tpl` | ❌ |
| Default | See [here](/truecharts-common/securitycontext#securitycontextcontainercapabilitiesadd) |
Example
```yaml
workload:
workload-name:
podSpec:
containers:
container-name:
securityContext:
capabilities:
add: []
```
---
#### `securityContext.capabilities.drop`
Define the capabilities.drop for the container
| | |
| ---------- | ------------------------------------------------------------------------------------ |
| Key | `workload.$name.podSpec.containers.$name.securityContext.capabilities.drop` |
| Type | `list` of `string` |
| Required | ✅ |
| Helm `tpl` | ❌ |
| Default | See [here](/truecharts-common/securitycontext#securitycontextcontainercapabilitiesdrop) |
Example
```yaml
workload:
workload-name:
podSpec:
containers:
container-name:
securityContext:
capabilities:
drop: []
```
---
### `securityContext.seccompProfile`
Define the seccompProfile for the container
| | |
| ---------- | ---------------------------------------------------------------------------------- |
| Key | `workload.$name.podSpec.containers.$name.securityContext.seccompProfile` |
| Type | `map` |
| Required | ✅ |
| Helm `tpl` | ❌ |
| Default | See [here](/truecharts-common/securitycontext#securitycontextcontainerseccompprofile) |
Example
```yaml
workload:
workload-name:
podSpec:
containers:
container-name:
securityContext:
seccompProfile: {}
```
---
#### `securityContext.seccompProfile.type`
Define the seccompProfile.type for the container
| | |
| ---------- | -------------------------------------------------------------------------------------- |
| Key | `workload.$name.podSpec.containers.$name.securityContext.seccompProfile.type` |
| Type | `string` |
| Required | ✅ |
| Helm `tpl` | ❌ |
| Default | See [here](/truecharts-common/securitycontext#securitycontextcontainerseccompprofiletype) |
Valid Values:
- `RuntimeDefault`
- `Localhost`
- `Unconfined`
Example
```yaml
workload:
workload-name:
podSpec:
containers:
container-name:
securityContext:
seccompProfile:
type: Localhost
```
---
#### `securityContext.seccompProfile.profile`
Define the seccompProfile.profile for the container
:::note
Only **required** when `securityContext.seccompProfile.type` is `Localhost`.
:::
| | |
| ---------- | ----------------------------------------------------------------------------------------- |
| Key | `workload.$name.podSpec.containers.$name.securityContext.seccompProfile.profile` |
| Type | `string` |
| Required | ✅ |
| Helm `tpl` | ❌ |
| Default | See [here](/truecharts-common/securitycontext#securitycontextcontainerseccompprofileprofile) |
Example
```yaml
workload:
workload-name:
podSpec:
containers:
container-name:
securityContext:
seccompProfile:
type: Localhost
profile: path/to/profile.json
```
---
## Full Examples
```yaml
workload:
workload-name:
enabled: true
primary: true
podSpec:
containers:
container-name:
enabled: true
primary: true
securityContext:
runAsNonRoot: true
runAsUser: 568
runAsGroup: 568
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
privileged: false
seccompProfile:
type: Localhost
profile: path/to/profile.json
capabilities:
add: []
drop:
- ALL
```