From 5aad14cdbc43b652c204f93d699e16aef1be673f Mon Sep 17 00:00:00 2001 From: Stavros kois Date: Tue, 24 Jan 2023 17:49:19 +0200 Subject: [PATCH] more docs --- docs/common/values/security.md | 79 ++++++++++++++++++++++++++++++++ library/common/1.0.0/values.yaml | 14 +++--- 2 files changed, 86 insertions(+), 7 deletions(-) create mode 100644 docs/common/values/security.md diff --git a/docs/common/values/security.md b/docs/common/values/security.md new file mode 100644 index 0000000000..f928c22e45 --- /dev/null +++ b/docs/common/values/security.md @@ -0,0 +1,79 @@ +# Security + +## Key: securityContext + +- Type: `dict` +- Default: + + ```yaml + securityContext: + runAsNonRoot: true + runAsUser: 568 + runAsGroup: 568 + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + privileged: false + capabilities: + add: [] + drop: + - ALL + ``` + +- Helm Template: ❌ + +Can be defined in: + +- `.Values`.securityContext +- `.Values.additionalContainers.[container-name]`.securityContext +- `.Values.systemContainers.[container-name]`.securityContext +- `.Values.initContainers.[container-name]`.securityContext +- `.Values.installContainers.[container-name]`.securityContext +- `.Values.upgradeContainers.[container-name]`.securityContext +- `.Values.jobs.[job-name].podSpec.containers.[container-name]`.securityContext + +--- + +By default it runs as the least privileged user. A chart developer have to \ +explicitly change the user and/or privileges, capabilities, etc. + +Examples: + +```yaml +# This will only alter the defined keys, rest keys will come from the default. +securityContext: + runAsNonRoot: false + runAsUser: 0 + runAsGroup: 0 + readOnlyRootFilesystem: false +``` + +## Key: podSecurityContext + +- Type: `dict` +- Default: + + ```yaml + podSecurityContext: + fsGroup: 568 + supplementalGroups: [] + fsGroupChangePolicy: OnRootMismatch + ``` + +- Helm Template: ❌ + +Can be defined in: + +- `.Values`.podSecurityContext +- `.Values.jobs.[job-name].podSpec`.podSecurityContext + +--- + +This applies on the whole pod (k8s does not offer a way to apply those per container.) + +Examples: + +```yaml +# This will only alter the defined keys, rest keys will come from the default. +podSecurityContext: + fsGroup: 33 +``` diff --git a/library/common/1.0.0/values.yaml b/library/common/1.0.0/values.yaml index 628da29b31..ee767046c6 100644 --- a/library/common/1.0.0/values.yaml +++ b/library/common/1.0.0/values.yaml @@ -315,13 +315,6 @@ controller: # -- Set StatefulSet RollingUpdate partition partition: -###### - Everything bellow needs documentation ##### - -# Injected from middleware -ixCertificates: [] -# Injected from middleware -ixVolumes: [] - # - Bellow values are needed (in addition to the default global) # as those are being referenced on other places in values.yaml sometimes @@ -344,6 +337,13 @@ securityContext: drop: - ALL +###### - Everything bellow needs documentation ##### + +# Injected from middleware +ixCertificates: [] +# Injected from middleware +ixVolumes: [] + # -- Configure the services for the chart here. # Additional services can be added by adding a dictionary key similar to the 'main' service. # @default -- See below