-
Notifications
You must be signed in to change notification settings - Fork 26
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
c69b0c5
commit 4017642
Showing
1 changed file
with
58 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
/////////////////////////////////////////////////////////////////////////////// | ||
|
||
Copyright (c) 2020, Oracle and/or its affiliates. | ||
Licensed under the Universal Permissive License v 1.0 as shown at | ||
http://oss.oracle.com/licenses/upl. | ||
|
||
/////////////////////////////////////////////////////////////////////////////// | ||
= Pod & Container SecurityContext | ||
== Pod & Container SecurityContext | ||
Kubernetes allows you to configure a https://kubernetes.io/docs/tasks/configure-pod-container/security-context/[Security Context] for both Pods and Containers. The Coherence CRD exposes both of these to allow you to set the security context configuration for the Coherence Pods and for the Coherence containers withing the Pods. | ||
For more details see the Kubernetes https://kubernetes.io/docs/tasks/configure-pod-container/security-context/[Security Context] documentation. | ||
=== Setting the Pod Security Context | ||
To specify security settings for a Pod, include the `securityContext` field in the Coherence resource specification. | ||
The securityContext field is a https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#podsecuritycontext-v1-core[PodSecurityContext] object. The security settings that you specify for a Pod apply to all Containers in the Pod. Here is a configuration file for a Pod that has a securityContext: | ||
[source,yaml] | ||
---- | ||
apiVersion: coherence.oracle.com/v1 | ||
kind: Coherence | ||
metadata: | ||
name: test | ||
spec: | ||
securityContext: | ||
runAsUser: 1000 | ||
runAsGroup: 3000 | ||
fsGroup: 2000 | ||
---- | ||
=== Setting the Coherence Container Security Context | ||
To specify security settings for the Coherence container within the Pods, include the `containerSecurityContext` field in the Container manifest. The `containerSecurityContext` field is a https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#securitycontext-v1-core[SecurityContext] object. | ||
Security settings that you specify in the `containerSecurityContext` field apply only to the individual Coherence container and the Operator utils init-container, and they override settings made at the Pod level in the `securityContext` field when there is overlap. Container settings do not affect the Pod's Volumes. | ||
Here is the configuration file for a Coherence resource that has both the Pod and the container security context: | ||
[source,yaml] | ||
---- | ||
apiVersion: coherence.oracle.com/v1 | ||
kind: Coherence | ||
metadata: | ||
name: test | ||
spec: | ||
securityContext: | ||
runAsUser: 1000 | ||
runAsGroup: 3000 | ||
fsGroup: 2000 | ||
containerSecurityContext: | ||
runAsUser: 2000 | ||
allowPrivilegeEscalation: false | ||
capabilities: | ||
add: ["NET_ADMIN", "SYS_TIME"] | ||
---- |