mirror of
https://github.com/truenas/charts.git
synced 2026-06-16 23:19:15 +08:00
80 lines
1.6 KiB
Markdown
80 lines
1.6 KiB
Markdown
# Security
|
|
|
|
## Key: securityContext
|
|
|
|
- Type: `dict`
|
|
- Default:
|
|
|
|
```yaml
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
runAsUser: 568
|
|
runAsGroup: 568
|
|
readOnlyRootFilesystem: true
|
|
allowPrivilegeEscalation: false
|
|
privileged: false
|
|
capabilities:
|
|
add: []
|
|
drop:
|
|
- ALL
|
|
```
|
|
|
|
- Helm Template: ❌
|
|
|
|
Can be defined in:
|
|
|
|
- `.Values`.securityContext
|
|
- `.Values.additionalContainers.[container-name]`.securityContext
|
|
- `.Values.systemContainers.[container-name]`.securityContext
|
|
- `.Values.initContainers.[container-name]`.securityContext
|
|
- `.Values.installContainers.[container-name]`.securityContext
|
|
- `.Values.upgradeContainers.[container-name]`.securityContext
|
|
- `.Values.jobs.[job-name].podSpec.containers.[container-name]`.securityContext
|
|
|
|
---
|
|
|
|
By default it runs as the least privileged user. A chart developer have to \
|
|
explicitly change the user and/or privileges, capabilities, etc.
|
|
|
|
Examples:
|
|
|
|
```yaml
|
|
# This will only alter the defined keys, rest keys will come from the default.
|
|
securityContext:
|
|
runAsNonRoot: false
|
|
runAsUser: 0
|
|
runAsGroup: 0
|
|
readOnlyRootFilesystem: false
|
|
```
|
|
|
|
## Key: podSecurityContext
|
|
|
|
- Type: `dict`
|
|
- Default:
|
|
|
|
```yaml
|
|
podSecurityContext:
|
|
fsGroup: 568
|
|
supplementalGroups: []
|
|
fsGroupChangePolicy: OnRootMismatch
|
|
```
|
|
|
|
- Helm Template: ❌
|
|
|
|
Can be defined in:
|
|
|
|
- `.Values`.podSecurityContext
|
|
- `.Values.jobs.[job-name].podSpec`.podSecurityContext
|
|
|
|
---
|
|
|
|
This applies on the whole pod (k8s does not offer a way to apply those per container.)
|
|
|
|
Examples:
|
|
|
|
```yaml
|
|
# This will only alter the defined keys, rest keys will come from the default.
|
|
podSecurityContext:
|
|
fsGroup: 33
|
|
```
|