Security Contexts
Security Contexts define privilege and access control settings for pods and containers in the MATIH platform. They control which user ID the container runs as, whether it can escalate privileges, filesystem access permissions, and Linux capabilities.
Pod Security Context vs. Container Security Context
| Setting Level | Applies To | Scope |
|---|---|---|
Pod-level (securityContext) | All containers in the pod | UID, GID, fsGroup, sysctls |
Container-level (securityContext) | Individual container | Capabilities, read-only FS, privilege escalation |
Standard Security Context
The MATIH platform defines a standard security context applied to most services:
# Pod-level security context
podSecurityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
seccompProfile:
type: RuntimeDefault
# Container-level security context
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALLService-Specific Overrides
Some services require non-standard security contexts due to upstream image requirements:
| Service | runAsUser | runAsNonRoot | readOnlyRootFS | Reason |
|---|---|---|---|---|
| AI Service | 1000 | true | true | Standard Python app |
| Query Engine | 1000 | true | true | Standard Java app |
| API Gateway | 1000 | true | true | Standard Java app |
| PostgreSQL | 999 | true | false | postgres user, needs write access |
| Redis | 999 | true | false | redis user, AOF persistence |
| Kafka | 1001 | true | false | kafka user, log segments |
| MongoDB | 999 | true | false | mongodb user |
| StarRocks | 0 | false | false | Requires root (upstream limitation) |
Verifying Container UID
Before setting security contexts, the actual container UID must be verified:
# Verification is done during chart development
# See CLAUDE.md Rule 2: VERIFY Container UID/GIDIf the container UID does not match the security context runAsUser, the pod will fail with CreateContainerConfigError and the message container has runAsNonRoot and image will run as root.
Helm Values Configuration
Security contexts are configured through Helm values:
# values.yaml (base defaults)
podSecurityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
# values-dev.yaml (development overrides for third-party images)
podSecurityContext:
runAsNonRoot: false # Override if image requires rootHelm Deep Merge Considerations
When overriding security contexts in environment-specific values files, be aware of Helm deep merge behavior:
- If base
values.yamlsetsrunAsGroup: 1000and dev override only setsrunAsUser: 0, the merged result will have bothrunAsUser: 0ANDrunAsGroup: 1000 - Always override ALL security context fields together to prevent value leakage
Writable Directories
For containers with readOnlyRootFilesystem: true, writable directories are provided via emptyDir volumes:
volumeMounts:
- name: tmp
mountPath: /tmp
- name: cache
mountPath: /home/appuser/.cache
volumes:
- name: tmp
emptyDir: {}
- name: cache
emptyDir:
sizeLimit: 100MiCommon Issues
| Error | Cause | Fix |
|---|---|---|
CreateContainerConfigError: runAsNonRoot | Image runs as root (UID 0) | Set runAsNonRoot: false or rebuild image |
Permission denied writing to filesystem | readOnlyRootFilesystem: true | Add emptyDir volume for writable paths |
Operation not permitted | Capability dropped | Add required capability to capabilities.add |
fsGroup permission errors | Incorrect fsGroup | Match fsGroup to the container GID |