Files
truecharts/charts/library/common/docs/securityContext.md
T
Kjeld Schouten 899cfb71b3 add common docs
2025-10-15 15:11:59 +02:00

6.3 KiB

title
title
Security Context

:::note

  • Examples under each key are only to be used as a placement guide
  • See the Full Examples section for complete examples.

:::

Appears in

  • .Values.securityContext

Defaults

securityContext:
  container:
    PUID: 568
    UMASK: "002"
    runAsNonRoot: true
    runAsUser: 568
    runAsGroup: 568
    readOnlyRootFilesystem: true
    allowPrivilegeEscalation: false
    privileged: false
    seccompProfile:
      type: RuntimeDefault
    capabilities:
      add: []
      drop:
        - ALL
  pod:
    fsGroup: 568
    fsGroupChangePolicy: OnRootMismatch
    supplementalGroups: []
    sysctls: []

securityContext.container

Defines the security context for the container. Can be overridden at container level.

See Container Security Context

Default

securityContext:
  container:
    PUID: 568
    UMASK: "002"
    runAsNonRoot: true
    runAsUser: 568
    runAsGroup: 568
    readOnlyRootFilesystem: true
    allowPrivilegeEscalation: false
    privileged: false
    seccompProfile:
      type: RuntimeDefault
    capabilities:
      add: []
      drop:
        - ALL

securityContext.container.PUID

See Container Fixed Env PUID

Default

securityContext:
  container:
    PUID: 568

securityContext.container.UMASK

See Container Fixed Env UMASK

Default

securityContext:
  container:
    UMASK: "002"

securityContext.container.runAsNonRoot

See Container Run As Non Root

Default

securityContext:
  container:
    runAsNonRoot: true

securityContext.container.runAsUser

See Container Run As User

Default

securityContext:
  container:
    runAsUser: 568

securityContext.container.runAsGroup

See Container Run As Group

Default

securityContext:
  container:
    runAsGroup: 568

securityContext.container.readOnlyRootFilesystem

See Container Read Only Root Filesystem

Default

securityContext:
  container:
    readOnlyRootFilesystem: true

securityContext.container.allowPrivilegeEscalation

See Container Allow Privilege Escalation

Default

securityContext:
  container:
    allowPrivilegeEscalation: false

securityContext.container.privileged

See Container Privileged

Default

securityContext:
  container:
    privileged: false

securityContext.container.seccompProfile

See Container Seccomp Profile

Default

securityContext:
  container:
    seccompProfile:
      type: RuntimeDefault

securityContext.container.seccompProfile.type

See Container Seccomp Profile Type

Default

securityContext:
  container:
    seccompProfile:
      type: RuntimeDefault

securityContext.container.seccompProfile.profile

See Container Seccomp Profile Profile

Default

securityContext:
  container:
    seccompProfile:
      profile: ""

securityContext.container.capabilities

See Container Capabilities

Default

securityContext:
  container:
    capabilities:
      add: []
      drop:
        - ALL

securityContext.container.capabilities.add

See Container Capabilities Add

Default

securityContext:
  container:
    capabilities:
      add: []

securityContext.container.capabilities.drop

See Container Capabilities Drop

Default

securityContext:
  container:
    capabilities:
      drop:
        - ALL

securityContext.pod

Defines the security context for the pod. Can be overridden at pod level.

See Pod Security Context

Default

securityContext:
  pod:
    fsGroup: 568
    fsGroupChangePolicy: OnRootMismatch
    supplementalGroups: []
    sysctls: []

securityContext.pod.fsGroup

See Pod FS Group

Default

securityContext:
  pod:
    fsGroup: 568

securityContext.pod.fsGroupChangePolicy

See Pod FS Group Change Policy

Default

securityContext:
  pod:
    fsGroupChangePolicy: OnRootMismatch

securityContext.pod.supplementalGroups

See Pod Supplemental Groups

Default

securityContext:
  pod:
    supplementalGroups: []

securityContext.pod.sysctls

See Pod Sysctls

Default

securityContext:
  pod:
    sysctls: []

Full Examples

securityContext:
  container:
    PUID: 568
    UMASK: "002"
    runAsNonRoot: true
    runAsUser: 568
    runAsGroup: 568
    readOnlyRootFilesystem: true
    allowPrivilegeEscalation: false
    privileged: false
    seccompProfile:
      type: RuntimeDefault
    capabilities:
      add:
        - SYS_ADMIN
        - SYS_PTRACE
      drop:
        - ALL
  pod:
    fsGroup: 568
    fsGroupChangePolicy: OnRootMismatch
    supplementalGroups:
      - 568
      - 1000
    sysctls:
      - name: net.ipv4.ip_unprivileged_port_start
        value: "0"