truenas/chart
1
0
Fork 0
mirror of https://github.com/truenas/charts.git synced 2026-06-17 07:27:44 +08:00
Code Issues Packages Projects Releases Wiki Activity

more docs

Browse Source
This commit is contained in:
Stavros kois
2023-01-24 17:49:19 +02:00
parent 080f9b4a75
commit 5aad14cdbc
2 changed files with 86 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

79
docs/common/values/security.md Normal file
View File

@@ -0,0 +1,79 @@
# Security
## Key: securityContext
- Type: `dict`
- Default:
```yaml
securityContext:
runAsNonRoot: true
runAsUser: 568
runAsGroup: 568
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
privileged: false
capabilities:
add: []
drop:
- ALL
```
- Helm Template: ❌
Can be defined in:
- `.Values`.securityContext
- `.Values.additionalContainers.[container-name]`.securityContext
- `.Values.systemContainers.[container-name]`.securityContext
- `.Values.initContainers.[container-name]`.securityContext
- `.Values.installContainers.[container-name]`.securityContext
- `.Values.upgradeContainers.[container-name]`.securityContext
- `.Values.jobs.[job-name].podSpec.containers.[container-name]`.securityContext
---
By default it runs as the least privileged user. A chart developer have to \
explicitly change the user and/or privileges, capabilities, etc.
Examples:
```yaml
# This will only alter the defined keys, rest keys will come from the default.
securityContext:
runAsNonRoot: false
runAsUser: 0
runAsGroup: 0
readOnlyRootFilesystem: false
```
## Key: podSecurityContext
- Type: `dict`
- Default:
```yaml
podSecurityContext:
fsGroup: 568
supplementalGroups: []
fsGroupChangePolicy: OnRootMismatch
```
- Helm Template: ❌
Can be defined in:
- `.Values`.podSecurityContext
- `.Values.jobs.[job-name].podSpec`.podSecurityContext
---
This applies on the whole pod (k8s does not offer a way to apply those per container.)
Examples:
```yaml
# This will only alter the defined keys, rest keys will come from the default.
podSecurityContext:
fsGroup: 33
```

14
library/common/1.0.0/values.yaml
View File

@@ -315,13 +315,6 @@ controller:
# -- Set StatefulSet RollingUpdate partition
partition:
###### - Everything bellow needs documentation #####
# Injected from middleware
ixCertificates: []
# Injected from middleware
ixVolumes: []
# - Bellow values are needed (in addition to the default global)
# as those are being referenced on other places in values.yaml sometimes
@@ -344,6 +337,13 @@ securityContext:
drop:
- ALL
###### - Everything bellow needs documentation #####
# Injected from middleware
ixCertificates: []
# Injected from middleware
ixVolumes: []
# -- Configure the services for the chart here.
# Additional services can be added by adding a dictionary key similar to the 'main' service.
# @default -- See below