cert-manager · MarcAntoineRaymond · Jan 10, 2026
diff --git a/deploy/charts/trust-manager/README.md b/deploy/charts/trust-manager/README.md
@@ -156,6 +156,20 @@ resources:
     cpu: 100m
     memory: 128Mi
 ```
+#### **defaultPackage.securityContext** ~ `object`
+> Default value:
+> ```yaml
+> allowPrivilegeEscalation: false
+> capabilities:
+>   drop:
+>   - ALL
+> readOnlyRootFilesystem: true
+> runAsNonRoot: true
+> seccompProfile:
+>   type: RuntimeDefault
+> ```
+
+Security Context to be set on the trust-manager default package init container. For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).
 #### **defaultPackageImage.registry** ~ `string`
 
 Target image registry. This value is prepended to the target image repository, if set.  
@@ -276,6 +290,13 @@ resources:
     cpu: 100m
     memory: 128Mi
 ```
+#### **podSecurityContext** ~ `object`
+> Default value:
+> ```yaml
+> {}
+> ```
+
+Security Context to be set on the trust-manager Pod. For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).
 #### **priorityClassName** ~ `string`
 > Default value:
 > ```yaml
@@ -426,13 +447,20 @@ The namespace used as the trust source. Note that the namespace _must_ exist bef
 
 List of target namespaces that trust-manager can write to. By default, trust-manager can write targets in any namespace.
 
-#### **app.securityContext.seccompProfileEnabled** ~ `bool`
+#### **app.securityContext** ~ `object`
 > Default value:
 > ```yaml
-> true
+> allowPrivilegeEscalation: false
+> capabilities:
+>   drop:
+>   - ALL
+> readOnlyRootFilesystem: true
+> runAsNonRoot: true
+> seccompProfile:
+>   type: RuntimeDefault
 > ```
 
-If false, disables the default seccomp profile, which might be required to run on certain platforms.
+Security Context to be set on the trust-manager app container. For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).
 #### **app.podLabels** ~ `object`
 > Default value:
 > ```yaml

diff --git a/deploy/charts/trust-manager/templates/deployment.yaml b/deploy/charts/trust-manager/templates/deployment.yaml
@@ -51,17 +51,10 @@ spec:
         - mountPath: /packages
           name: packages
           readOnly: false
+        {{- with .Values.defaultPackage.securityContext }}
         securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
-          readOnlyRootFilesystem: true
-          runAsNonRoot: true
-          {{- if .Values.app.securityContext.seccompProfileEnabled }}
-          seccompProfile:
-            type: RuntimeDefault
-          {{- end }}
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
         {{- if .Values.defaultPackage.resources }}
         resources:
           {{- toYaml .Values.defaultPackage.resources | nindent 10 }}
@@ -127,17 +120,14 @@ spec:
         {{- end }}
         resources:
           {{- toYaml .Values.resources | nindent 12 }}
+        {{- with .Values.app.securityContext }}
         securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
-          readOnlyRootFilesystem: true
-          runAsNonRoot: true
-          {{- if .Values.app.securityContext.seccompProfileEnabled }}
-          seccompProfile:
-            type: RuntimeDefault
-          {{- end }}
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+      {{- with .Values.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       {{- with .Values.priorityClassName }}
       priorityClassName: "{{ . }}"
       {{- end }}

diff --git a/deploy/charts/trust-manager/values.schema.json b/deploy/charts/trust-manager/values.schema.json
@@ -57,6 +57,9 @@
         "podDisruptionBudget": {
           "$ref": "#/$defs/helm-values.podDisruptionBudget"
         },
+        "podSecurityContext": {
+          "$ref": "#/$defs/helm-values.podSecurityContext"
+        },
         "priorityClassName": {
           "$ref": "#/$defs/helm-values.priorityClassName"
         },
@@ -328,19 +331,22 @@
       "type": "number"
     },
     "helm-values.app.securityContext": {
-      "additionalProperties": false,
-      "properties": {
-        "seccompProfileEnabled": {
-          "$ref": "#/$defs/helm-values.app.securityContext.seccompProfileEnabled"
+      "default": {
+        "allowPrivilegeEscalation": false,
+        "capabilities": {
+          "drop": [
+            "ALL"
+          ]
+        },
+        "readOnlyRootFilesystem": true,
+        "runAsNonRoot": true,
+        "seccompProfile": {
+          "type": "RuntimeDefault"
         }
       },
+      "description": "Security Context to be set on the trust-manager app container. For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).",
       "type": "object"
     },
-    "helm-values.app.securityContext.seccompProfileEnabled": {
-      "default": true,
-      "description": "If false, disables the default seccomp profile, which might be required to run on certain platforms.",
-      "type": "boolean"
-    },
     "helm-values.app.targetNamespaces": {
       "description": "List of target namespaces that trust-manager can write to. By default, trust-manager can write targets in any namespace.",
       "items": {},
@@ -559,6 +565,9 @@
         },
         "resources": {
           "$ref": "#/$defs/helm-values.defaultPackage.resources"
+        },
+        "securityContext": {
+          "$ref": "#/$defs/helm-values.defaultPackage.securityContext"
         }
       },
       "type": "object"
@@ -573,6 +582,23 @@
       "description": "Kubernetes pod resource limits for default package init container.\n\nFor example:\nresources:\n  limits:\n    cpu: 100m\n    memory: 128Mi\n  requests:\n    cpu: 100m\n    memory: 128Mi",
       "type": "object"
     },
+    "helm-values.defaultPackage.securityContext": {
+      "default": {
+        "allowPrivilegeEscalation": false,
+        "capabilities": {
+          "drop": [
+            "ALL"
+          ]
+        },
+        "readOnlyRootFilesystem": true,
+        "runAsNonRoot": true,
+        "seccompProfile": {
+          "type": "RuntimeDefault"
+        }
+      },
+      "description": "Security Context to be set on the trust-manager default package init container. For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).",
+      "type": "object"
+    },
     "helm-values.defaultPackageImage": {
       "additionalProperties": false,
       "properties": {
@@ -754,6 +780,11 @@
     "helm-values.podDisruptionBudget.minAvailable": {
       "description": "This configures the minimum available pods for disruptions. It can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).\nIt cannot be used if `maxUnavailable` is set."
     },
+    "helm-values.podSecurityContext": {
+      "default": {},
+      "description": "Security Context to be set on the trust-manager Pod. For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).",
+      "type": "object"
+    },
     "helm-values.priorityClassName": {
       "default": "",
       "description": "Configure the priority class of the pod. For more information, see [PriorityClass](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass).",

diff --git a/deploy/charts/trust-manager/values.yaml b/deploy/charts/trust-manager/values.yaml
@@ -90,6 +90,17 @@ defaultPackage:
   #      memory: 128Mi
   resources: {}
 
+  # Security Context to be set on the trust-manager default package init container. For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
+
 defaultPackageImage:
   # Target image registry. This value is prepended to the target image repository, if set.
   # For example:
@@ -164,6 +175,9 @@ secretTargets:
 #      memory: 128Mi
 resources: {}
 
+# Security Context to be set on the trust-manager Pod. For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).
+podSecurityContext: {}
+
 # Configure the priority class of the pod. For more information, see [PriorityClass](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass).
 priorityClassName: ""
 
@@ -249,9 +263,16 @@ app:
   # +docs:property
   # targetNamespaces: ["ns-1", "ns-2"]
 
+  # Security Context to be set on the trust-manager app container. For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).
   securityContext:
-    # If false, disables the default seccomp profile, which might be required to run on certain platforms.
-    seccompProfileEnabled: true
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
 
   # Pod labels to add to trust-manager pods.
   podLabels: {}