6.3 KiB
6.3 KiB
title
| title |
|---|
| Security Context |
:::note
- Examples under each key are only to be used as a placement guide
- See the Full Examples section for complete examples.
:::
Appears in
.Values.securityContext
Defaults
securityContext:
container:
PUID: 568
UMASK: "002"
runAsNonRoot: true
runAsUser: 568
runAsGroup: 568
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
privileged: false
seccompProfile:
type: RuntimeDefault
capabilities:
add: []
drop:
- ALL
pod:
fsGroup: 568
fsGroupChangePolicy: OnRootMismatch
supplementalGroups: []
sysctls: []
securityContext.container
Defines the security context for the container. Can be overridden at container level.
See Container Security Context
Default
securityContext:
container:
PUID: 568
UMASK: "002"
runAsNonRoot: true
runAsUser: 568
runAsGroup: 568
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
privileged: false
seccompProfile:
type: RuntimeDefault
capabilities:
add: []
drop:
- ALL
securityContext.container.PUID
Default
securityContext:
container:
PUID: 568
securityContext.container.UMASK
Default
securityContext:
container:
UMASK: "002"
securityContext.container.runAsNonRoot
Default
securityContext:
container:
runAsNonRoot: true
securityContext.container.runAsUser
Default
securityContext:
container:
runAsUser: 568
securityContext.container.runAsGroup
Default
securityContext:
container:
runAsGroup: 568
securityContext.container.readOnlyRootFilesystem
See Container Read Only Root Filesystem
Default
securityContext:
container:
readOnlyRootFilesystem: true
securityContext.container.allowPrivilegeEscalation
See Container Allow Privilege Escalation
Default
securityContext:
container:
allowPrivilegeEscalation: false
securityContext.container.privileged
Default
securityContext:
container:
privileged: false
securityContext.container.seccompProfile
Default
securityContext:
container:
seccompProfile:
type: RuntimeDefault
securityContext.container.seccompProfile.type
See Container Seccomp Profile Type
Default
securityContext:
container:
seccompProfile:
type: RuntimeDefault
securityContext.container.seccompProfile.profile
See Container Seccomp Profile Profile
Default
securityContext:
container:
seccompProfile:
profile: ""
securityContext.container.capabilities
Default
securityContext:
container:
capabilities:
add: []
drop:
- ALL
securityContext.container.capabilities.add
See Container Capabilities Add
Default
securityContext:
container:
capabilities:
add: []
securityContext.container.capabilities.drop
See Container Capabilities Drop
Default
securityContext:
container:
capabilities:
drop:
- ALL
securityContext.pod
Defines the security context for the pod. Can be overridden at pod level.
Default
securityContext:
pod:
fsGroup: 568
fsGroupChangePolicy: OnRootMismatch
supplementalGroups: []
sysctls: []
securityContext.pod.fsGroup
See Pod FS Group
Default
securityContext:
pod:
fsGroup: 568
securityContext.pod.fsGroupChangePolicy
See Pod FS Group Change Policy
Default
securityContext:
pod:
fsGroupChangePolicy: OnRootMismatch
securityContext.pod.supplementalGroups
Default
securityContext:
pod:
supplementalGroups: []
securityContext.pod.sysctls
See Pod Sysctls
Default
securityContext:
pod:
sysctls: []
Full Examples
securityContext:
container:
PUID: 568
UMASK: "002"
runAsNonRoot: true
runAsUser: 568
runAsGroup: 568
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
privileged: false
seccompProfile:
type: RuntimeDefault
capabilities:
add:
- SYS_ADMIN
- SYS_PTRACE
drop:
- ALL
pod:
fsGroup: 568
fsGroupChangePolicy: OnRootMismatch
supplementalGroups:
- 568
- 1000
sysctls:
- name: net.ipv4.ip_unprivileged_port_start
value: "0"