@@ -50,6 +50,33 @@ coder:
5050# coder.serviceAccount.name -- The service account name
5151name :coder
5252
53+ # coder.securityContext -- Fields related to the container's security
54+ # context (as opposed to the pod). Some fields are also present in the pod
55+ # security context, in which case these values will take precedence.
56+ securityContext :
57+ # coder.securityContext.runAsNonRoot -- Requires that the coder container
58+ # runs as an unprivileged user. If setting runAsUser to 0 (root), this
59+ # will need to be set to false.
60+ runAsNonRoot :true
61+ # coder.securityContext.runAsUser -- Sets the user id of the pod.
62+ # For security reasons, we recommend using a non-root user.
63+ runAsUser :1000
64+ # coder.securityContext.runAsGroup -- Sets the group id of the pod.
65+ # For security reasons, we recommend using a non-root group.
66+ runAsGroup :1000
67+ # coder.securityContext.readOnlyRootFilesystem -- Mounts the container's
68+ # root filesystem as read-only. It is recommended to leave this setting
69+ # enabled in production. This will override the same setting in the pod
70+ readOnlyRootFilesystem :true
71+ # coder.securityContext.seccompProfile -- Sets the seccomp profile for
72+ # the coder container.
73+ seccompProfile :
74+ type :RuntimeDefault
75+ # coder.securityContext.allowPrivilegeEscalation -- Controls whether
76+ # the container can gain additional privileges, such as escalating to
77+ # root. It is recommended to leave this setting disabled in production.
78+ allowPrivilegeEscalation :false
79+
5380# coder.env -- The environment variables to set for Coder. These can be used
5481# to configure all aspects of `coder server`. Please see `coder server --help`
5582# for information about what environment variables can be set.