truenas/chart
1
0
Fork 0
mirror of https://github.com/truenas/charts.git synced 2026-02-09 21:37:10 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
e8e998f81e94de23d92f0973b82f182b35e141cd
chart/library/common/docs/container/securityContext.md
Stavros Kois 929e60d801 NAS-121003 / 23.10 / Adapt charts CI and improve/fix common (#1011) 
* Adapt charts CI and improve/fix common

* add check on permissions contaienr

* add postgres template

* update comments

* Update create_app.sh

* add check

* update script

* auto gen item.yaml from Chart,yaml

* rename readme on dest

* duplicate readme from the same source

* correct comment

* reoder

* remove extra space

* keep both README and app-readme

* update regex, to also allow 2 letter names, which is also valid

* No need to check host network if there aren't any pod values

* use same pattern as the pod.name label (not prepending release-name

* update deps

* add chart dirs to ci

* Add a validation to check if there is any yaml errors after merging files

* update charts path on ci

* common/1.0.0/ -> common/

* update common-test dep path

* temp update create_app script

* make permissions container name configurable, incase we want to change order of execution

* update naming convention

* fix typo and a missed name change

* do not allow `--` in names
2023-03-16 17:36:19 +02:00

67 lines
5.3 KiB
Markdown
Raw Blame History

# Security Context
Assume every key below has a prefix of `workload.[workload-name].podSpec.containers.[container-name]`.
| Key | Type | Required | Helm Template | Default | Description |
| :--------------------------------------- | :-------: | :----------------------------: | :-----------: | :----------------------------------------------------------------: | :--------------------------------------------------------------------------------------- |
| securityContext | `dict` | ✅ | ❌ | `{{ .Values.securityContext.container }}` | Define securityContext for the container |
| securityContext.runAsUser | `int` | ✅ | ❌ | `{{ .Values.securityContext.container.runAsUser }}` | Define the runAsUser for the container |
| securityContext.runAsGroup | `int` | ✅ | ❌ | `{{ .Values.securityContext.container.runAsGroup }}` | Define the runAsGroup for the container |
| securityContext.readOnlyRootFilesystem | `boolean` | ✅ | ❌ | `{{ .Values.securityContext.container.readOnlyRootFilesystem }}` | Define the readOnlyRootFilesystem for the container |
| securityContext.allowPrivilegeEscalation | `boolean` | ✅ | ❌ | `{{ .Values.securityContext.container.allowPrivilegeEscalation }}` | Define the allowPrivilegeEscalation for the container |
| securityContext.privileged | `boolean` | ✅ | ❌ | `{{ .Values.securityContext.container.privileged }}` | Define the privileged for the container |
| securityContext.runAsNonRoot | `boolean` | ✅ | ❌ | `{{ .Values.securityContext.container.runAsNonRoot }}` | Define the runAsNonRoot for the container |
| securityContext.capabilities | `dict` | ✅ | ❌ | `{{ .Values.securityContext.container.capabilities }}` | Define the capabilities for the container |
| securityContext.capabilities.add | `list` | ✅ | ❌ | `{{ .Values.securityContext.container.capabilities.add }}` | Define the capabilities.add for the container |
| securityContext.capabilities.drop | `list` | ✅ | ❌ | `{{ .Values.securityContext.container.capabilities.drop }}` | Define the capabilities.drop for the container |
| securityContext.seccompProfile | `dict` | ✅ | ❌ | `{{ .Values.securityContext.container.seccompProfile }}` | Define the seccompProfile for the container |
| securityContext.seccompProfile.type | `string` | ✅ | ❌ | `{{ .Values.securityContext.container.seccompProfile.type }}` | Define the seccompProfile.type for the container (RuntimeDefault, Localhost, Unconfined) |
| securityContext.seccompProfile.profile | `string` | ✅ (Only when Localhost type ) | ❌ | `{{ .Values.securityContext.container.seccompProfile.profile }}` | Define the seccompProfile.profile for the container (Only when type is Localhost) |
> Each value that is not defined in the `securityContext` under the container level, it will get replaced with the value defined `.Values.securityContext.container`.
> If a capability is defined in either `add` or `drop` on container level, it will **NOT** get merged
> with the value(s) from the `.Values.securityContext.container.capabilities.[add/drop]`. But it will override them.
---
Appears in:
- `.Values.workload.[workload-name].podSpec.containers.[container-name].securityContext`
---
Examples:
```yaml
workload:
workload-name:
enabled: true
primary: true
podSpec:
containers:
container-name:
enabled: true
primary: true
securityContext:
runAsNonRoot: true
runAsUser: 568
runAsGroup: 568
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
privileged: false
seccompProfile:
type: Localhost
profile: path/to/profile.json
capabilities:
add: []
drop:
- ALL
```
---
Notes:
When setting capabilities for containers, remember to **NOT** include `CAP_` prefix.
For example, `CAP_NET_ADMIN` should be `NET_ADMIN`.
Reference in New Issue View Git Blame Copy Permalink