You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently the only way to set container security context for the deployments is via anchoreGlobal.containerSecurityContext. While this is useful for a lot of things ("sane" default security) there are also cases where it falls short and you may want a more specific/locked down securityContext applied to a specific container, or more permissive applied to another.
What I would suggest we do is continue to allow for an anchoreGlobal value to set all container security contexts, but also allow (at minimum) a deployment specific option (i.e. anchoreApi.containerSecurityContext). This could easily be expanded if you want even more fine grained control over each container in a given deployment, but in my opinion a deployment wide setting should be sufficient for the "90%" use case.
The text was updated successfully, but these errors were encountered:
Currently the only way to set container security context for the deployments is via
anchoreGlobal.containerSecurityContext. While this is useful for a lot of things ("sane" default security) there are also cases where it falls short and you may want a more specific/locked down securityContext applied to a specific container, or more permissive applied to another.Example deployment for reference: https://github.com/anchore/anchore-charts/blob/main/stable/anchore-engine/templates/api_deployment.yaml#L108-L111
What I would suggest we do is continue to allow for an
anchoreGlobalvalue to set all container security contexts, but also allow (at minimum) a deployment specific option (i.e.anchoreApi.containerSecurityContext). This could easily be expanded if you want even more fine grained control over each container in a given deployment, but in my opinion a deployment wide setting should be sufficient for the "90%" use case.The text was updated successfully, but these errors were encountered: