Security Context
Appears in
.Values.workload.$name.podSpec.containers.$name
.Values.workload.$name.podSpec.initContainers.$name
securityContext
Define securityContext for the container
Key | workload.$name.podSpec.containers.$name.securityContext |
Type | map |
Required | ✅ |
Helm tpl | ❌ |
Default | See here |
Example
workload: workload-name: podSpec: containers: container-name: securityContext: {}
securityContext.runAsUser
Define the runAsUser for the container
Key | workload.$name.podSpec.containers.$name.securityContext.runAsUser |
Type | int |
Required | ✅ |
Helm tpl | ❌ |
Default | See here |
Example
workload: workload-name: podSpec: containers: container-name: securityContext: runAsUser: 568
securityContext.runAsGroup
Define the runAsGroup for the container
Key | workload.$name.podSpec.containers.$name.securityContext.runAsGroup |
Type | int |
Required | ✅ |
Helm tpl | ❌ |
Default | See here |
Example
workload: workload-name: podSpec: containers: container-name: securityContext: runAsGroup: 568
securityContext.readOnlyRootFilesystem
Define the readOnlyRootFilesystem for the container
Key | workload.$name.podSpec.containers.$name.securityContext.readOnlyRootFilesystem |
Type | bool |
Required | ✅ |
Helm tpl | ❌ |
Default | See here |
Example
workload: workload-name: podSpec: containers: container-name: securityContext: readOnlyRootFilesystem: true
securityContext.allowPrivilegeEscalation
Define the allowPrivilegeEscalation for the container
Key | workload.$name.podSpec.containers.$name.securityContext.allowPrivilegeEscalation |
Type | bool |
Required | ✅ |
Helm tpl | ❌ |
Default | See here |
Example
workload: workload-name: podSpec: containers: container-name: securityContext: allowPrivilegeEscalation: false
securityContext.privileged
Define the privileged for the container
Key | workload.$name.podSpec.containers.$name.securityContext.privileged |
Type | bool |
Required | ✅ |
Helm tpl | ❌ |
Default | See here |
Example
workload: workload-name: podSpec: containers: container-name: securityContext: privileged: false
securityContext.runAsNonRoot
Define the runAsNonRoot for the container
Key | workload.$name.podSpec.containers.$name.securityContext.runAsNonRoot |
Type | bool |
Required | ✅ |
Helm tpl | ❌ |
Default | See here |
Example
workload: workload-name: podSpec: containers: container-name: securityContext: runAsNonRoot: true
securityContext.capabilities
Define the capabilities for the container
Key | workload.$name.podSpec.containers.$name.securityContext.capabilities |
Type | map |
Required | ✅ |
Helm tpl | ❌ |
Default | See here |
Example
workload: workload-name: podSpec: containers: container-name: securityContext: capabilities: {}
securityContext.capabilities.add
Define the capabilities.add for the container
Key | workload.$name.podSpec.containers.$name.securityContext.capabilities.add |
Type | list of string |
Required | ✅ |
Helm tpl | ❌ |
Default | See here |
Example
workload: workload-name: podSpec: containers: container-name: securityContext: capabilities: add: []
securityContext.capabilities.drop
Define the capabilities.drop for the container
Key | workload.$name.podSpec.containers.$name.securityContext.capabilities.drop |
Type | list of string |
Required | ✅ |
Helm tpl | ❌ |
Default | See here |
Example
workload: workload-name: podSpec: containers: container-name: securityContext: capabilities: drop: []
securityContext.seccompProfile
Define the seccompProfile for the container
Key | workload.$name.podSpec.containers.$name.securityContext.seccompProfile |
Type | map |
Required | ✅ |
Helm tpl | ❌ |
Default | See here |
Example
workload: workload-name: podSpec: containers: container-name: securityContext: seccompProfile: {}
securityContext.seccompProfile.type
Define the seccompProfile.type for the container
Key | workload.$name.podSpec.containers.$name.securityContext.seccompProfile.type |
Type | string |
Required | ✅ |
Helm tpl | ❌ |
Default | See here |
Valid Values:
RuntimeDefault
Localhost
Unconfined
Example
workload: workload-name: podSpec: containers: container-name: securityContext: seccompProfile: type: Localhost
securityContext.seccompProfile.profile
Define the seccompProfile.profile for the container
Key | workload.$name.podSpec.containers.$name.securityContext.seccompProfile.profile |
Type | string |
Required | ✅ |
Helm tpl | ❌ |
Default | See here |
Example
workload: workload-name: podSpec: containers: container-name: securityContext: seccompProfile: type: Localhost profile: path/to/profile.json
Full Examples
workload: workload-name: enabled: true primary: true podSpec: containers: container-name: enabled: true primary: true securityContext: runAsNonRoot: true runAsUser: 568 runAsGroup: 568 readOnlyRootFilesystem: true allowPrivilegeEscalation: false privileged: false seccompProfile: type: Localhost profile: path/to/profile.json capabilities: add: [] drop: - ALL