Security Context
Appears in
.Values.workload.$name.podSpec.containers.$name.Values.workload.$name.podSpec.initContainers.$name
securityContext
Define securityContext for the container
| Key | workload.$name.podSpec.containers.$name.securityContext |
| Type | map |
| Required | ✅ |
Helm tpl | ❌ |
| Default | See here |
Example
workload: workload-name: podSpec: containers: container-name: securityContext: {}securityContext.runAsUser
Define the runAsUser for the container
| Key | workload.$name.podSpec.containers.$name.securityContext.runAsUser |
| Type | int |
| Required | ✅ |
Helm tpl | ❌ |
| Default | See here |
Example
workload: workload-name: podSpec: containers: container-name: securityContext: runAsUser: 568securityContext.runAsGroup
Define the runAsGroup for the container
| Key | workload.$name.podSpec.containers.$name.securityContext.runAsGroup |
| Type | int |
| Required | ✅ |
Helm tpl | ❌ |
| Default | See here |
Example
workload: workload-name: podSpec: containers: container-name: securityContext: runAsGroup: 568securityContext.readOnlyRootFilesystem
Define the readOnlyRootFilesystem for the container
| Key | workload.$name.podSpec.containers.$name.securityContext.readOnlyRootFilesystem |
| Type | bool |
| Required | ✅ |
Helm tpl | ❌ |
| Default | See here |
Example
workload: workload-name: podSpec: containers: container-name: securityContext: readOnlyRootFilesystem: truesecurityContext.allowPrivilegeEscalation
Define the allowPrivilegeEscalation for the container
| Key | workload.$name.podSpec.containers.$name.securityContext.allowPrivilegeEscalation |
| Type | bool |
| Required | ✅ |
Helm tpl | ❌ |
| Default | See here |
Example
workload: workload-name: podSpec: containers: container-name: securityContext: allowPrivilegeEscalation: falsesecurityContext.privileged
Define the privileged for the container
| Key | workload.$name.podSpec.containers.$name.securityContext.privileged |
| Type | bool |
| Required | ✅ |
Helm tpl | ❌ |
| Default | See here |
Example
workload: workload-name: podSpec: containers: container-name: securityContext: privileged: falsesecurityContext.runAsNonRoot
Define the runAsNonRoot for the container
| Key | workload.$name.podSpec.containers.$name.securityContext.runAsNonRoot |
| Type | bool |
| Required | ✅ |
Helm tpl | ❌ |
| Default | See here |
Example
workload: workload-name: podSpec: containers: container-name: securityContext: runAsNonRoot: truesecurityContext.capabilities
Define the capabilities for the container
| Key | workload.$name.podSpec.containers.$name.securityContext.capabilities |
| Type | map |
| Required | ✅ |
Helm tpl | ❌ |
| Default | See here |
Example
workload: workload-name: podSpec: containers: container-name: securityContext: capabilities: {}securityContext.capabilities.add
Define the capabilities.add for the container
| Key | workload.$name.podSpec.containers.$name.securityContext.capabilities.add |
| Type | list of string |
| Required | ✅ |
Helm tpl | ❌ |
| Default | See here |
Example
workload: workload-name: podSpec: containers: container-name: securityContext: capabilities: add: []securityContext.capabilities.drop
Define the capabilities.drop for the container
| Key | workload.$name.podSpec.containers.$name.securityContext.capabilities.drop |
| Type | list of string |
| Required | ✅ |
Helm tpl | ❌ |
| Default | See here |
Example
workload: workload-name: podSpec: containers: container-name: securityContext: capabilities: drop: []securityContext.seccompProfile
Define the seccompProfile for the container
| Key | workload.$name.podSpec.containers.$name.securityContext.seccompProfile |
| Type | map |
| Required | ✅ |
Helm tpl | ❌ |
| Default | See here |
Example
workload: workload-name: podSpec: containers: container-name: securityContext: seccompProfile: {}securityContext.seccompProfile.type
Define the seccompProfile.type for the container
| Key | workload.$name.podSpec.containers.$name.securityContext.seccompProfile.type |
| Type | string |
| Required | ✅ |
Helm tpl | ❌ |
| Default | See here |
Valid Values:
RuntimeDefaultLocalhostUnconfined
Example
workload: workload-name: podSpec: containers: container-name: securityContext: seccompProfile: type: LocalhostsecurityContext.seccompProfile.profile
Define the seccompProfile.profile for the container
| Key | workload.$name.podSpec.containers.$name.securityContext.seccompProfile.profile |
| Type | string |
| Required | ✅ |
Helm tpl | ❌ |
| Default | See here |
Example
workload: workload-name: podSpec: containers: container-name: securityContext: seccompProfile: type: Localhost profile: path/to/profile.jsonFull Examples
workload: workload-name: enabled: true primary: true podSpec: containers: container-name: enabled: true primary: true securityContext: runAsNonRoot: true runAsUser: 568 runAsGroup: 568 readOnlyRootFilesystem: true allowPrivilegeEscalation: false privileged: false seccompProfile: type: Localhost profile: path/to/profile.json capabilities: add: [] drop: - ALL