Skip to content
TrueForge

News

Team

TrueTech

GamingForge

LifeForge

Security Context

Appears in

Section titled “Appears in”
  • .Values.securityContext

Defaults

Section titled “Defaults”
securityContext:
  container:
    PUID: 568
    UMASK: "002"
    runAsNonRoot: true
    runAsUser: 568
    runAsGroup: 568
    readOnlyRootFilesystem: true
    allowPrivilegeEscalation: false
    privileged: false
    seccompProfile:
      type: RuntimeDefault
    capabilities:
      add: []
      drop:
        - ALL
  pod:
    fsGroup: 568
    fsGroupChangePolicy: OnRootMismatch
    supplementalGroups: []
    sysctls: []

securityContext.container

Section titled “securityContext.container”

Defines the security context for the container. Can be overridden at container level.

See Container Security Context

Default

securityContext:
  container:
    PUID: 568
    UMASK: "002"
    runAsNonRoot: true
    runAsUser: 568
    runAsGroup: 568
    readOnlyRootFilesystem: true
    allowPrivilegeEscalation: false
    privileged: false
    seccompProfile:
      type: RuntimeDefault
    capabilities:
      add: []
      drop:
        - ALL

securityContext.container.PUID

Section titled “securityContext.container.PUID”

See Container Fixed Env PUID

Default

securityContext:
  container:
    PUID: 568

securityContext.container.UMASK

Section titled “securityContext.container.UMASK”

See Container Fixed Env UMASK

Default

securityContext:
  container:
    UMASK: "002"

securityContext.container.runAsNonRoot

Section titled “securityContext.container.runAsNonRoot”

See Container Run As Non Root

Default

securityContext:
  container:
    runAsNonRoot: true

securityContext.container.runAsUser

Section titled “securityContext.container.runAsUser”

See Container Run As User

Default

securityContext:
  container:
    runAsUser: 568

securityContext.container.runAsGroup

Section titled “securityContext.container.runAsGroup”

See Container Run As Group

Default

securityContext:
  container:
    runAsGroup: 568

securityContext.container.readOnlyRootFilesystem

Section titled “securityContext.container.readOnlyRootFilesystem”

See Container Read Only Root Filesystem

Default

securityContext:
  container:
    readOnlyRootFilesystem: true

securityContext.container.allowPrivilegeEscalation

Section titled “securityContext.container.allowPrivilegeEscalation”

See Container Allow Privilege Escalation

Default

securityContext:
  container:
    allowPrivilegeEscalation: false

securityContext.container.privileged

Section titled “securityContext.container.privileged”

See Container Privileged

Default

securityContext:
  container:
    privileged: false

securityContext.container.seccompProfile

Section titled “securityContext.container.seccompProfile”

See Container Seccomp Profile

Default

securityContext:
  container:
    seccompProfile:
      type: RuntimeDefault

securityContext.container.seccompProfile.type

Section titled “securityContext.container.seccompProfile.type”

See Container Seccomp Profile Type

Default

securityContext:
  container:
    seccompProfile:
      type: RuntimeDefault

securityContext.container.seccompProfile.profile

Section titled “securityContext.container.seccompProfile.profile”

See Container Seccomp Profile Profile

Default

securityContext:
  container:
    seccompProfile:
      profile: ""

securityContext.container.capabilities

Section titled “securityContext.container.capabilities”

See Container Capabilities

Default

securityContext:
  container:
    capabilities:
      add: []
      drop:
        - ALL

securityContext.container.capabilities.add

Section titled “securityContext.container.capabilities.add”

See Container Capabilities Add

Default

securityContext:
  container:
    capabilities:
      add: []

securityContext.container.capabilities.drop

Section titled “securityContext.container.capabilities.drop”

See Container Capabilities Drop

Default

securityContext:
  container:
    capabilities:
      drop:
        - ALL

securityContext.pod

Section titled “securityContext.pod”

Defines the security context for the pod. Can be overridden at pod level.

See Pod Security Context

Default

securityContext:
  pod:
    fsGroup: 568
    fsGroupChangePolicy: OnRootMismatch
    supplementalGroups: []
    sysctls: []

securityContext.pod.fsGroup

Section titled “securityContext.pod.fsGroup”

See Pod FS Group

Default

securityContext:
  pod:
    fsGroup: 568

securityContext.pod.fsGroupChangePolicy

Section titled “securityContext.pod.fsGroupChangePolicy”

See Pod FS Group Change Policy

Default

securityContext:
  pod:
    fsGroupChangePolicy: OnRootMismatch

securityContext.pod.supplementalGroups

Section titled “securityContext.pod.supplementalGroups”

See Pod Supplemental Groups

Default

securityContext:
  pod:
    supplementalGroups: []

securityContext.pod.sysctls

Section titled “securityContext.pod.sysctls”

See Pod Sysctls

Default

securityContext:
  pod:
    sysctls: []

Full Examples

Section titled “Full Examples”
securityContext:
  container:
    PUID: 568
    UMASK: "002"
    runAsNonRoot: true
    runAsUser: 568
    runAsGroup: 568
    readOnlyRootFilesystem: true
    allowPrivilegeEscalation: false
    privileged: false
    seccompProfile:
      type: RuntimeDefault
    capabilities:
      add:
        - SYS_ADMIN
        - SYS_PTRACE
      drop:
        - ALL
  pod:
    fsGroup: 568
    fsGroupChangePolicy: OnRootMismatch
    supplementalGroups:
      - 568
      - 1000
    sysctls:
      - name: net.ipv4.ip_unprivileged_port_start
        value: "0"