truenas/chart
1
0
Fork 0
mirror of https://github.com/truenas/charts.git synced 2026-02-03 18:44:14 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
chart/library/common/docs/container/securityContext.md
Stavros Kois 929e60d801 NAS-121003 / 23.10 / Adapt charts CI and improve/fix common (#1011) 
* Adapt charts CI and improve/fix common

* add check on permissions contaienr

* add postgres template

* update comments

* Update create_app.sh

* add check

* update script

* auto gen item.yaml from Chart,yaml

* rename readme on dest

* duplicate readme from the same source

* correct comment

* reoder

* remove extra space

* keep both README and app-readme

* update regex, to also allow 2 letter names, which is also valid

* No need to check host network if there aren't any pod values

* use same pattern as the pod.name label (not prepending release-name

* update deps

* add chart dirs to ci

* Add a validation to check if there is any yaml errors after merging files

* update charts path on ci

* common/1.0.0/ -> common/

* update common-test dep path

* temp update create_app script

* make permissions container name configurable, incase we want to change order of execution

* update naming convention

* fix typo and a missed name change

* do not allow `--` in names
2023-03-16 17:36:19 +02:00

5.3 KiB
Raw Permalink Blame History

Security Context

Assume every key below has a prefix of workload.[workload-name].podSpec.containers.[container-name].

Key Type Required Helm Template Default Description
securityContext dict {{ .Values.securityContext.container }} Define securityContext for the container
securityContext.runAsUser int {{ .Values.securityContext.container.runAsUser }} Define the runAsUser for the container
securityContext.runAsGroup int {{ .Values.securityContext.container.runAsGroup }} Define the runAsGroup for the container
securityContext.readOnlyRootFilesystem boolean {{ .Values.securityContext.container.readOnlyRootFilesystem }} Define the readOnlyRootFilesystem for the container
securityContext.allowPrivilegeEscalation boolean {{ .Values.securityContext.container.allowPrivilegeEscalation }} Define the allowPrivilegeEscalation for the container
securityContext.privileged boolean {{ .Values.securityContext.container.privileged }} Define the privileged for the container
securityContext.runAsNonRoot boolean {{ .Values.securityContext.container.runAsNonRoot }} Define the runAsNonRoot for the container
securityContext.capabilities dict {{ .Values.securityContext.container.capabilities }} Define the capabilities for the container
securityContext.capabilities.add list {{ .Values.securityContext.container.capabilities.add }} Define the capabilities.add for the container
securityContext.capabilities.drop list {{ .Values.securityContext.container.capabilities.drop }} Define the capabilities.drop for the container
securityContext.seccompProfile dict {{ .Values.securityContext.container.seccompProfile }} Define the seccompProfile for the container
securityContext.seccompProfile.type string {{ .Values.securityContext.container.seccompProfile.type }} Define the seccompProfile.type for the container (RuntimeDefault, Localhost, Unconfined)
securityContext.seccompProfile.profile string (Only when Localhost type ) {{ .Values.securityContext.container.seccompProfile.profile }} Define the seccompProfile.profile for the container (Only when type is Localhost)

Each value that is not defined in the securityContext under the container level, it will get replaced with the value defined .Values.securityContext.container. If a capability is defined in either add or drop on container level, it will NOT get merged with the value(s) from the .Values.securityContext.container.capabilities.[add/drop]. But it will override them.

Appears in:

  • .Values.workload.[workload-name].podSpec.containers.[container-name].securityContext

Examples:

workload:
  workload-name:
    enabled: true
    primary: true
    podSpec:
      containers:
        container-name:
          enabled: true
          primary: true
          securityContext:
            runAsNonRoot: true
            runAsUser: 568
            runAsGroup: 568
            readOnlyRootFilesystem: true
            allowPrivilegeEscalation: false
            privileged: false
            seccompProfile:
              type: Localhost
              profile: path/to/profile.json
            capabilities:
              add: []
              drop:
                - ALL

Notes:

When setting capabilities for containers, remember to NOT include CAP_ prefix. For example, CAP_NET_ADMIN should be NET_ADMIN.

Reference in New Issue View Git Blame Copy Permalink