truenas/chart
1
0
Fork 0
mirror of https://github.com/truenas/charts.git synced 2026-04-24 02:20:15 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
3c8fa19b5cb45fb9538284584d2fe218c6825319
chart/library/common/1.0.0/docs/container/securityContext.md
Stavros Kois 5b1abdd839 NAS-118930 / 23.10 / Improve/Refactor Common Library (#917) 
* fix

* fix

* some more

* somefixs

* whops

* initial structure

* finish up configmap

* secret class

* runtest secret

* move files arround

* ignore

* make clear on call template that need root context

* imagePullSecret (minus targetSelector)

* move out of the way

* clean up comment

* deployment basic spec

* daemonset basic spec

* statefulset spec

* split file

* docs

* update values

* job spec

* job docs

* cronJob basic spec

* job in cron test

* add common version

* podsepc

* whoopsis

* selectorlabels and pod metadata

* job and cron pod metadata

* update docs

* consistent order

* get ready for pod

* first targetSelector

* remove todo

* update docs

* add hostnet and enableservicelinks

* update selector logic

* update docs

* add tests for restartpolicy

* schedulerName

* priorityclassname

* hostname

* termperiodsec

* nodeselector

* add fail case

* host aliases

* dns policy

* dns config

* tolerations

* serviceaccoutn class, spawner, saname selector

* add pod todo

* update some tests

* add runtimeclassname

* controllers -> workload and plurar to singular

* require at least 1 primary on enabled SAs

* fix script

* remove wrong comment

* update naming scheme

* update rbac values ref

* rbac docs

* rbac's

* append short name, for future use

* update comments

* initial service wireframe

* shorten line

* simplify labels and update tests

* service selectors

* simplify error messages

* finish clusterIP type

* loadbalancer

* noedport

* externalname

* external ip

* update service

* fix highlighting

* session affinity

* add comment

* update comments

* service ports

* fix indentation

* externalname can have no ports

* fixup externalIP

* add pvc class and spawner and tests

* add nfs and emptyDir vols

* example

* extend docs a bit

* not create pvc if existing claim is set

* helm... you are dumb really. how this fixes an unrelated test

* add configmap

* add secret vol

* add pvc vol

* add hostpath

* finish volumes

* initial podsec

* podsec context with some todo's to check

* automatic sysctls

* remove todo

* update doc struct

* split docs

* split service docs

* initial container plumbing

* fix tests

* fix test

* rename to class

* command and args

* termination

* add lifecycle

* int value from tpl

* another case

* fix service protocol tpl

* update readme

* ports

* update todo

* cleanup values a bit

* only add sysctl when port is bellow 1024

* whops, thats a different range

* update avlue

* move some old docs to the "to be deleted" dir

* externalinteface validation

* update an error message and apply externalinterface annotations to workloads

* external interfaces

* TZ - TIMEZONE

* update rdoc

* reduce code duple

* device vol type

* initial certificate plumbing

* update comments

* finish secret creation of certificate

* cert dosc

* volumeMounts

* scale certs

* doc

* add tests for volMounts

* values updates

* update todo

* add test case

* remove some todo

* update todos

* vct

* remove tdoo

* restore default

* rename function

* make selectorlabels a bit better

* trim

* some cleanup

* update some ci values

* update ci

* rollingup defaults

* rename dir

* fix nil pointers

* check the same strategy var

* whops

* fix tests

* typo

* not a good day for copy paste

* move check

* move another check

* fix some tests for upcoming probes

* one mroe

* split docs

* add default probes for `main` and docs

* add probes and some ci testruns

* whops

* fix an edge case

* add an error for edge case

* runtests

* runtest updaets

* update

* check if podvalues exist first

* force types

* force only one of the 2

* quote labels and annotaions values

* job/cron have auto gen selectors

* remove false test

* fix maxsureg

* fix end

* different fix

* fix some tests

* fix rollUp

* try to fix 3.9.4 helm

* move file to helpers

* use capital types in probes and lifecycle

* Revert "use capital types in probes and lifecycle"

This reverts commit 380ebd5f1f.

* typo

* use lowercase for protocol everywhere

* rbac runtest

* prune old

* add resources

* add resources

* fix rbc

* fix sa naming in pod

* fix test

* 44 suppl group on gpu

* remove todo

* extract function in another file

* whops

* add securityContext implementation

* add fail cases

* add rest of the tests

* remove todo

* envFrom

* minify

* env list

* add env

* add envdupe check tests

* add fixed envs

* replace containers with callers

* add callers

* add initContainer

* add init run test

* reset default test val

* add  name tests

* add some more tests

* rename

* validate workload type only if enabled

* lint fix for 3.9.4

* add tpl on init enabled

* whops

* fix init

* echo

* echo

* args...

* list

* comment out disabled persistences

* fix some typos and improve resources `requests` requirement

* improve docs a bit

* require name,description,version,type

* add some wording regarding what Helm Template column means

* add title as requirement

* remove scheduler

* remove priority class name

* remove nfs + externalIP

* remove LB

* remove STS & VCT

* fix a test

* remove nodeselector

* remove DS

* remove pvc

* remove todo

* conditionally print the type, as we might want to use the template to select all objects inthe chart

* add some docs

* docs for notes

* add `tls.` in the certificate secret, according to k8s docs

* add some basic docs around the rest of the options

* clean values.yaml

* catch an edge case

* remove externalName

* set autmountSA on SA to false

* add note about the automountSA
2023-02-20 15:23:33 +02:00

5.1 KiB
Raw Blame History

Security Context

Assume every key below has a prefix of workload.[workload-name].podSpec.containers.[container-name].

Key Type Required Helm Template Default Description
securityContext dict {{ .Values.securityContext.container }} Define securityContext for the container
securityContext.runAsUser int {{ .Values.securityContext.container.runAsUser }} Define the runAsUser for the container
securityContext.runAsGroup int {{ .Values.securityContext.container.runAsGroup }} Define the runAsGroup for the container
securityContext.readOnlyRootFilesystem boolean {{ .Values.securityContext.container.readOnlyRootFilesystem }} Define the readOnlyRootFilesystem for the container
securityContext.allowPrivilegeEscalation boolean {{ .Values.securityContext.container.allowPrivilegeEscalation }} Define the allowPrivilegeEscalation for the container
securityContext.privileged boolean {{ .Values.securityContext.container.privileged }} Define the privileged for the container
securityContext.runAsNonRoot boolean {{ .Values.securityContext.container.runAsNonRoot }} Define the runAsNonRoot for the container
securityContext.capabilities dict {{ .Values.securityContext.container.capabilities }} Define the capabilities for the container
securityContext.capabilities.add list {{ .Values.securityContext.container.capabilities.add }} Define the capabilities.add for the container
securityContext.capabilities.drop list {{ .Values.securityContext.container.capabilities.drop }} Define the capabilities.drop for the container
securityContext.seccompProfile dict {{ .Values.securityContext.container.seccompProfile }} Define the seccompProfile for the container
securityContext.seccompProfile.type string {{ .Values.securityContext.container.seccompProfile.type }} Define the seccompProfile.type for the container (RuntimeDefault, Localhost, Unconfined)
securityContext.seccompProfile.profile string (Only when Localhost type ) {{ .Values.securityContext.container.seccompProfile.profile }} Define the seccompProfile.profile for the container (Only when type is Localhost)

Each value that is not defined in the securityContext under the container level, it will get replaced with the value defined .Values.securityContext.container. If a capability is defined in either add or drop on container level, it will NOT get merged with the value(s) from the .Values.securityContext.container.capabilities.[add/drop]. But it will override them.

Appears in:

  • .Values.workload.[workload-name].podSpec.containers.[container-name].securityContext

Examples:

workload:
  workload-name:
    enabled: true
    primary: true
    podSpec:
      containers:
        container-name:
          enabled: true
          primary: true
          securityContext:
            runAsNonRoot: true
            runAsUser: 568
            runAsGroup: 568
            readOnlyRootFilesystem: true
            allowPrivilegeEscalation: false
            privileged: false
            seccompProfile:
              type: Localhost
              profile: path/to/profile.json
            capabilities:
              add: []
              drop:
                - ALL
Reference in New Issue View Git Blame Copy Permalink