Home Explore Help
Register Sign In
lcy
/
truenas
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 8bd4f3281d
Branches Tags
truenas
/
library
/
common
/
docs
/
container
/
securityContext.md

securityContext.md 5.3 KB
History Raw

Security Context

Assume every key below has a prefix of workload.[workload-name].podSpec.containers.[container-name].

Key Type Required Helm Template Default Description
securityContext dict {{ .Values.securityContext.container }} Define securityContext for the container
securityContext.runAsUser int {{ .Values.securityContext.container.runAsUser }} Define the runAsUser for the container
securityContext.runAsGroup int {{ .Values.securityContext.container.runAsGroup }} Define the runAsGroup for the container
securityContext.readOnlyRootFilesystem boolean {{ .Values.securityContext.container.readOnlyRootFilesystem }} Define the readOnlyRootFilesystem for the container
securityContext.allowPrivilegeEscalation boolean {{ .Values.securityContext.container.allowPrivilegeEscalation }} Define the allowPrivilegeEscalation for the container
securityContext.privileged boolean {{ .Values.securityContext.container.privileged }} Define the privileged for the container
securityContext.runAsNonRoot boolean {{ .Values.securityContext.container.runAsNonRoot }} Define the runAsNonRoot for the container
securityContext.capabilities dict {{ .Values.securityContext.container.capabilities }} Define the capabilities for the container
securityContext.capabilities.add list {{ .Values.securityContext.container.capabilities.add }} Define the capabilities.add for the container
securityContext.capabilities.drop list {{ .Values.securityContext.container.capabilities.drop }} Define the capabilities.drop for the container
securityContext.seccompProfile dict {{ .Values.securityContext.container.seccompProfile }} Define the seccompProfile for the container
securityContext.seccompProfile.type string {{ .Values.securityContext.container.seccompProfile.type }} Define the seccompProfile.type for the container (RuntimeDefault, Localhost, Unconfined)
securityContext.seccompProfile.profile string ✅ (Only when Localhost type ) {{ .Values.securityContext.container.seccompProfile.profile }} Define the seccompProfile.profile for the container (Only when type is Localhost)

Each value that is not defined in the securityContext under the container level, it will get replaced with the value defined .Values.securityContext.container. If a capability is defined in either add or drop on container level, it will NOT get merged with the value(s) from the .Values.securityContext.container.capabilities.[add/drop]. But it will override them.

Appears in:

  • .Values.workload.[workload-name].podSpec.containers.[container-name].securityContext

Examples:

workload:
  workload-name:
    enabled: true
    primary: true
    podSpec:
      containers:
        container-name:
          enabled: true
          primary: true
          securityContext:
            runAsNonRoot: true
            runAsUser: 568
            runAsGroup: 568
            readOnlyRootFilesystem: true
            allowPrivilegeEscalation: false
            privileged: false
            seccompProfile:
              type: Localhost
              profile: path/to/profile.json
            capabilities:
              add: []
              drop:
                - ALL

Notes:

When setting capabilities for containers, remember to NOT include CAP_ prefix. For example, CAP_NET_ADMIN should be NET_ADMIN.