mirror of
https://github.com/nextcloud/all-in-one.git
synced 2025-12-20 06:26:57 +00:00
helm: add additional security settings
Signed-off-by: Simon L. <szaimen@e.mail.de>
This commit is contained in:
Simon L.
parent
89739b26ed
commit
b81ae86e8a
12 changed files with 29 additions and 0 deletions
|
|
@ -72,6 +72,8 @@ spec:
|
||||||
- containerPort: {{ .Values.APACHE_PORT }}
|
- containerPort: {{ .Values.APACHE_PORT }}
|
||||||
protocol: UDP
|
protocol: UDP
|
||||||
securityContext:
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
runAsNonRoot: true
|
||||||
capabilities:
|
capabilities:
|
||||||
drop:
|
drop:
|
||||||
- NET_RAW
|
- NET_RAW
|
||||||
|
|
|
||||||
|
|
@ -59,6 +59,8 @@ spec:
|
||||||
- containerPort: 3310
|
- containerPort: 3310
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
securityContext:
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
runAsNonRoot: true
|
||||||
capabilities:
|
capabilities:
|
||||||
drop:
|
drop:
|
||||||
- NET_RAW
|
- NET_RAW
|
||||||
|
|
|
||||||
|
|
@ -42,6 +42,8 @@ spec:
|
||||||
- containerPort: 9980
|
- containerPort: 9980
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
securityContext:
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
runAsNonRoot: true
|
||||||
capabilities:
|
capabilities:
|
||||||
add:
|
add:
|
||||||
- MKNOD
|
- MKNOD
|
||||||
|
|
|
||||||
|
|
@ -68,6 +68,8 @@ spec:
|
||||||
- containerPort: 5432
|
- containerPort: 5432
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
securityContext:
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
runAsNonRoot: true
|
||||||
capabilities:
|
capabilities:
|
||||||
drop:
|
drop:
|
||||||
- NET_RAW
|
- NET_RAW
|
||||||
|
|
|
||||||
|
|
@ -62,6 +62,8 @@ spec:
|
||||||
- containerPort: 9200
|
- containerPort: 9200
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
securityContext:
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
runAsNonRoot: true
|
||||||
capabilities:
|
capabilities:
|
||||||
drop:
|
drop:
|
||||||
- NET_RAW
|
- NET_RAW
|
||||||
|
|
|
||||||
|
|
@ -34,6 +34,8 @@ spec:
|
||||||
- containerPort: 9000
|
- containerPort: 9000
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
securityContext:
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
runAsNonRoot: true
|
||||||
capabilities:
|
capabilities:
|
||||||
add:
|
add:
|
||||||
- SYS_NICE
|
- SYS_NICE
|
||||||
|
|
|
||||||
|
|
@ -59,6 +59,8 @@ spec:
|
||||||
- containerPort: 7867
|
- containerPort: 7867
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
securityContext:
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
runAsNonRoot: true
|
||||||
capabilities:
|
capabilities:
|
||||||
drop:
|
drop:
|
||||||
- NET_RAW
|
- NET_RAW
|
||||||
|
|
|
||||||
|
|
@ -45,6 +45,8 @@ spec:
|
||||||
- containerPort: 6379
|
- containerPort: 6379
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
securityContext:
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
runAsNonRoot: true
|
||||||
capabilities:
|
capabilities:
|
||||||
drop:
|
drop:
|
||||||
- NET_RAW
|
- NET_RAW
|
||||||
|
|
|
||||||
|
|
@ -52,6 +52,8 @@ spec:
|
||||||
- containerPort: 8081
|
- containerPort: 8081
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
securityContext:
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
runAsNonRoot: true
|
||||||
capabilities:
|
capabilities:
|
||||||
drop:
|
drop:
|
||||||
- NET_RAW
|
- NET_RAW
|
||||||
|
|
|
||||||
|
|
@ -38,6 +38,8 @@ spec:
|
||||||
- containerPort: 1234
|
- containerPort: 1234
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
securityContext:
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
runAsNonRoot: true
|
||||||
capabilities:
|
capabilities:
|
||||||
drop:
|
drop:
|
||||||
- NET_RAW
|
- NET_RAW
|
||||||
|
|
|
||||||
|
|
@ -42,6 +42,8 @@ spec:
|
||||||
- containerPort: 3002
|
- containerPort: 3002
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
securityContext:
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
runAsNonRoot: true
|
||||||
capabilities:
|
capabilities:
|
||||||
drop:
|
drop:
|
||||||
- NET_RAW
|
- NET_RAW
|
||||||
|
|
|
||||||
|
|
@ -423,6 +423,13 @@ find ./ -name "*nextcloud-aio-elasticsearch-persistentvolumeclaim.yaml" -exec se
|
||||||
# shellcheck disable=SC1083
|
# shellcheck disable=SC1083
|
||||||
find ./ -name "*nextcloud-aio-elasticsearch-persistentvolumeclaim.yaml" -exec sed -i "$ a {{- end }}" \{} \;
|
find ./ -name "*nextcloud-aio-elasticsearch-persistentvolumeclaim.yaml" -exec sed -i "$ a {{- end }}" \{} \;
|
||||||
|
|
||||||
|
cat << EOL >> /tmp/security.conf
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
runAsNonRoot: true
|
||||||
|
EOL
|
||||||
|
# shellcheck disable=SC1083
|
||||||
|
find ./ \( -not -name '*nextcloud-deployment.yaml*' -not -name '*onlyoffice-deployment.yaml*' -name "*deployment.yaml" \) -exec sed -i "/^.*securityContext:$/r /tmp/security.conf" \{} \;
|
||||||
|
|
||||||
chmod 777 -R ./
|
chmod 777 -R ./
|
||||||
|
|
||||||
# Seems like the dir needs to match the name of the chart
|
# Seems like the dir needs to match the name of the chart
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue