|
| 1 | +/////////////////////////////////////////////////////////////////////////////// |
| 2 | + |
| 3 | + Copyright (c) 2020, Oracle and/or its affiliates. |
| 4 | + Licensed under the Universal Permissive License v 1.0 as shown at |
| 5 | + http://oss.oracle.com/licenses/upl. |
| 6 | + |
| 7 | +/////////////////////////////////////////////////////////////////////////////// |
| 8 | +
|
| 9 | += Pod & Container SecurityContext |
| 10 | +
|
| 11 | +== Pod & Container SecurityContext |
| 12 | +
|
| 13 | +Kubernetes allows you to configure a https://kubernetes.io/docs/tasks/configure-pod-container/security-context/[Security Context] for both Pods and Containers. The Coherence CRD exposes both of these to allow you to set the security context configuration for the Coherence Pods and for the Coherence containers withing the Pods. |
| 14 | +
|
| 15 | +For more details see the Kubernetes https://kubernetes.io/docs/tasks/configure-pod-container/security-context/[Security Context] documentation. |
| 16 | +
|
| 17 | +=== Setting the Pod Security Context |
| 18 | +
|
| 19 | +To specify security settings for a Pod, include the `securityContext` field in the Coherence resource specification. |
| 20 | +The securityContext field is a https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#podsecuritycontext-v1-core[PodSecurityContext] object. The security settings that you specify for a Pod apply to all Containers in the Pod. Here is a configuration file for a Pod that has a securityContext: |
| 21 | +
|
| 22 | +[source,yaml] |
| 23 | +---- |
| 24 | +apiVersion: coherence.oracle.com/v1 |
| 25 | +kind: Coherence |
| 26 | +metadata: |
| 27 | + name: test |
| 28 | +spec: |
| 29 | + securityContext: |
| 30 | + runAsUser: 1000 |
| 31 | + runAsGroup: 3000 |
| 32 | + fsGroup: 2000 |
| 33 | +---- |
| 34 | +
|
| 35 | +=== Setting the Coherence Container Security Context |
| 36 | +
|
| 37 | +To specify security settings for the Coherence container within the Pods, include the `containerSecurityContext` field in the Container manifest. The `containerSecurityContext` field is a https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#securitycontext-v1-core[SecurityContext] object. |
| 38 | +Security settings that you specify in the `containerSecurityContext` field apply only to the individual Coherence container and the Operator utils init-container, and they override settings made at the Pod level in the `securityContext` field when there is overlap. Container settings do not affect the Pod's Volumes. |
| 39 | +
|
| 40 | +Here is the configuration file for a Coherence resource that has both the Pod and the container security context: |
| 41 | +
|
| 42 | +[source,yaml] |
| 43 | +---- |
| 44 | +apiVersion: coherence.oracle.com/v1 |
| 45 | +kind: Coherence |
| 46 | +metadata: |
| 47 | + name: test |
| 48 | +spec: |
| 49 | + securityContext: |
| 50 | + runAsUser: 1000 |
| 51 | + runAsGroup: 3000 |
| 52 | + fsGroup: 2000 |
| 53 | + containerSecurityContext: |
| 54 | + runAsUser: 2000 |
| 55 | + allowPrivilegeEscalation: false |
| 56 | + capabilities: |
| 57 | + add: ["NET_ADMIN", "SYS_TIME"] |
| 58 | +---- |
0 commit comments