eightball/all-in-one
1
0
Fork 0
mirror of https://github.com/nextcloud/all-in-one.git synced 2025-12-19 22:16:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10

helm: add additional security settings

Browse source 
Signed-off-by: Simon L. <szaimen@e.mail.de>
This commit is contained in:
Simon L. 2024-11-05 16:05:22 +01:00
parent 89739b26ed
commit b81ae86e8a
12 changed files with 29 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

2
nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-deployment.yaml
View file

@ -72,6 +72,8 @@ spec:
- containerPort: {{ .Values.APACHE_PORT }}
protocol: UDP
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
drop:
- NET_RAW

2
nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-deployment.yaml
View file

@ -59,6 +59,8 @@ spec:
- containerPort: 3310
protocol: TCP
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
drop:
- NET_RAW

2
nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-deployment.yaml
View file

@ -42,6 +42,8 @@ spec:
- containerPort: 9980
protocol: TCP
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
add:
- MKNOD

2
nextcloud-aio-helm-chart/templates/nextcloud-aio-database-deployment.yaml
View file

@ -68,6 +68,8 @@ spec:
- containerPort: 5432
protocol: TCP
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
drop:
- NET_RAW

2
nextcloud-aio-helm-chart/templates/nextcloud-aio-fulltextsearch-deployment.yaml
View file

@ -62,6 +62,8 @@ spec:
- containerPort: 9200
protocol: TCP
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
drop:
- NET_RAW

2
nextcloud-aio-helm-chart/templates/nextcloud-aio-imaginary-deployment.yaml
View file

@ -34,6 +34,8 @@ spec:
- containerPort: 9000
protocol: TCP
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
add:
- SYS_NICE

2
nextcloud-aio-helm-chart/templates/nextcloud-aio-notify-push-deployment.yaml
View file

@ -59,6 +59,8 @@ spec:
- containerPort: 7867
protocol: TCP
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
drop:
- NET_RAW

2
nextcloud-aio-helm-chart/templates/nextcloud-aio-redis-deployment.yaml
View file

@ -45,6 +45,8 @@ spec:
- containerPort: 6379
protocol: TCP
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
drop:
- NET_RAW

2
nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-deployment.yaml
View file

@ -52,6 +52,8 @@ spec:
- containerPort: 8081
protocol: TCP
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
drop:
- NET_RAW

2
nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-recording-deployment.yaml
View file

@ -38,6 +38,8 @@ spec:
- containerPort: 1234
protocol: TCP
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
drop:
- NET_RAW

2
nextcloud-aio-helm-chart/templates/nextcloud-aio-whiteboard-deployment.yaml
View file

@ -42,6 +42,8 @@ spec:
- containerPort: 3002
protocol: TCP
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
drop:
- NET_RAW

7
nextcloud-aio-helm-chart/update-helm.sh
View file

@ -423,6 +423,13 @@ find ./ -name "*nextcloud-aio-elasticsearch-persistentvolumeclaim.yaml" -exec se
# shellcheck disable=SC1083
find ./ -name "*nextcloud-aio-elasticsearch-persistentvolumeclaim.yaml" -exec sed -i "$ a {{- end }}" \{} \;
cat << EOL >> /tmp/security.conf
allowPrivilegeEscalation: false
runAsNonRoot: true
EOL
# shellcheck disable=SC1083
find ./ \( -not -name '*nextcloud-deployment.yaml*' -not -name '*onlyoffice-deployment.yaml*' -name "*deployment.yaml" \) -exec sed -i "/^.*securityContext:$/r /tmp/security.conf" \{} \;
chmod 777 -R ./
# Seems like the dir needs to match the name of the chart