semyonmor
commented
1 month ago You can define container securityContext
https://github.com/aquasecurity/aqua-helm/blob/bbec888248610b7da536a6894d13272814094064/enforcer/templates/enforcer-daemonset.yaml#L61
using the below section in values.yaml by adding any required and supported values
https://github.com/aquasecurity/aqua-helm/blob/bbec888248610b7da536a6894d13272814094064/enforcer/values.yaml#L84
And for pod securityContext
https://github.com/aquasecurity/aqua-helm/blob/bbec888248610b7da536a6894d13272814094064/enforcer/templates/enforcer-daemonset.yaml#L59
by using the below section in values.yaml
https://github.com/aquasecurity/aqua-helm/blob/bbec888248610b7da536a6894d13272814094064/enforcer/values.yaml#L150
Dear Aqua Team,
I am currently in the process of deploying the Aqua Security Enforcer via your official Helm chart and am focusing on aligning the deployment with our organization's security best practices. Specifically, I am interested in configuring the Enforcer pods to run as a non-root user with a specific user ID.
Could you please provide guidance on whether the following settings can be directly configured through your Helm chart values:
Setting the runAsUser to a specific user ID (e.g., 1001) to ensure the pod operates with limited system permissions. Enabling runAsNonRoot to true to ensure that the pod does not run as the root user under any circumstance. Additionally, if these configurations are supported:
Are there any specific prerequisites or considerations we should be aware of regarding the underlying Docker image or Kubernetes environment? Could you also guide on how to properly set these values in the Helm values.yaml file or through command-line overrides during
e.g: apiVersion: apps/v1 kind: Deployment metadata: name: aqua-enforcer namespace: aqua spec: replicas: 1 selector: matchLabels: app: aqua-enforcer template: metadata: labels: app: aqua-enforcer spec: containers:
Thank you for your support and looking forward to your guidance.