Skip to content

Commit

Permalink
COH-24092 Add documentation
Browse files Browse the repository at this point in the history
  • Loading branch information
thegridman committed Sep 3, 2021
1 parent c69b0c5 commit 4017642
Showing 1 changed file with 58 additions and 0 deletions.
58 changes: 58 additions & 0 deletions docs/other/045_security_context.adoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
///////////////////////////////////////////////////////////////////////////////

Copyright (c) 2020, Oracle and/or its affiliates.
Licensed under the Universal Permissive License v 1.0 as shown at
http://oss.oracle.com/licenses/upl.

///////////////////////////////////////////////////////////////////////////////
= Pod & Container SecurityContext
== Pod & Container SecurityContext
Kubernetes allows you to configure a https://kubernetes.io/docs/tasks/configure-pod-container/security-context/[Security Context] for both Pods and Containers. The Coherence CRD exposes both of these to allow you to set the security context configuration for the Coherence Pods and for the Coherence containers withing the Pods.
For more details see the Kubernetes https://kubernetes.io/docs/tasks/configure-pod-container/security-context/[Security Context] documentation.
=== Setting the Pod Security Context
To specify security settings for a Pod, include the `securityContext` field in the Coherence resource specification.
The securityContext field is a https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#podsecuritycontext-v1-core[PodSecurityContext] object. The security settings that you specify for a Pod apply to all Containers in the Pod. Here is a configuration file for a Pod that has a securityContext:
[source,yaml]
----
apiVersion: coherence.oracle.com/v1
kind: Coherence
metadata:
name: test
spec:
securityContext:
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
----
=== Setting the Coherence Container Security Context
To specify security settings for the Coherence container within the Pods, include the `containerSecurityContext` field in the Container manifest. The `containerSecurityContext` field is a https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#securitycontext-v1-core[SecurityContext] object.
Security settings that you specify in the `containerSecurityContext` field apply only to the individual Coherence container and the Operator utils init-container, and they override settings made at the Pod level in the `securityContext` field when there is overlap. Container settings do not affect the Pod's Volumes.
Here is the configuration file for a Coherence resource that has both the Pod and the container security context:
[source,yaml]
----
apiVersion: coherence.oracle.com/v1
kind: Coherence
metadata:
name: test
spec:
securityContext:
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
containerSecurityContext:
runAsUser: 2000
allowPrivilegeEscalation: false
capabilities:
add: ["NET_ADMIN", "SYS_TIME"]
----

0 comments on commit 4017642

Please sign in to comment.