Configuring SecurityContext for Deployments and Jobs

Last updated: April 23, 2025

This article explains how to configure security settings for containers in your deployments and jobs.

Default Security Settings

By default, our deployments include several security-focused settings:

ReadOnly filesystem, enabled by default (unless explicitly required by a component)
Dropped capabilities (except where specific capabilities are required, e.g. gateway needs NET_BIND_SERVICE)

Configuring RunAs Settings

To configure container-level security settings like runAsUser, runAsGroup, and runAsNonRoot, use the following configuration path in your settings:

deployments.<deployment-name>.init-containers.<container-name>.run-as

Example Configuration

Here's an example of security context settings you can apply:

securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
    - all
  privileged: false
  readOnlyRootFilesystem: true
  runAsGroup: 1000
  runAsNonRoot: true
  runAsUser: 1000
  seccompProfile:
    type: RuntimeDefault

Service Account Token

To disable automatic service account token mounting for components like the gateway, you can set:

automountServiceAccountToken: false

For detailed configuration options, refer to our configuration reference documentation.