Pod and container security

The WebLogic Kubernetes Operator enforces pod and container security best practices for the pods and containers that the operator creates for WebLogic Server instances, the init container for auxiliary images, sidecar containers for Fluentd or the WebLogic Monitoring Exporter, and the introspection job.

The operator adds the following pod-level securityContext content:

securityContext:
  seccompProfile:
    type: RuntimeDefault 

The operator also adds the following container-level securityContext content to each container:

securityContext:
  runAsUser: 1000
  runAsNonRoot: true           
  privileged: false
  allowPrivilegeEscalation: false
  capabilities:
    drop:
    - ALL

On OpenShift environments, the operator omits the runAsUser element.

Customers can configure pod and container generation for WebLogic Server instances using the serverPod element in the Domain resource. If specified, the operator will use the serverPod.podSecurityContext or serverPod.containerSecurityContext content from the Domain resource rather than using the default content shown previously.