eightball/all-in-one
1
0
Fork 0
mirror of https://github.com/nextcloud/all-in-one.git synced 2025-12-19 22:16:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10

helm: refactor securityContext to support restricted pod security standard

Browse source 
Signed-off-by: Simon L. <szaimen@e.mail.de>
This commit is contained in:
Simon L. 2024-11-15 16:52:55 +01:00
parent f7de6f6704
commit cf6adc1075
16 changed files with 337 additions and 152 deletions
Download patch file Download diff file Expand all files Collapse all files

38
nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-deployment.yaml
View file

@ -23,19 +23,18 @@ spec:
labels:
io.kompose.service: nextcloud-aio-apache
spec:
initContainers:
- name: init-volumes
image: "alpine:3.20"
command:
- chmod
- "777"
- /nextcloud-aio-nextcloud
- /nextcloud-aio-apache
volumeMounts:
- name: nextcloud-aio-apache
mountPath: /nextcloud-aio-apache
- name: nextcloud-aio-nextcloud
mountPath: /nextcloud-aio-nextcloud
securityContext:
# The items below only work in pod context
fsGroup: 33
fsGroupChangePolicy: "OnRootMismatch"
# The items below work in both contexts
runAsUser: 33
runAsGroup: 33
runAsNonRoot: true
{{- if eq .Values.RPSS_ENABLED "yes" }}
seccompProfile:
type: RuntimeDefault
{{- end }}
containers:
- env:
- name: ADDITIONAL_TRUSTED_DOMAIN
@ -64,7 +63,7 @@ spec:
value: "{{ .Values.TIMEZONE }}"
- name: WHITEBOARD_HOST
value: nextcloud-aio-whiteboard
image: "nextcloud/aio-apache:20241106_101604"
image: nextcloud/aio-apache:20241106_101604
name: nextcloud-aio-apache
ports:
- containerPort: {{ .Values.APACHE_PORT }}
@ -72,12 +71,15 @@ spec:
- containerPort: {{ .Values.APACHE_PORT }}
protocol: UDP
securityContext:
# The items below only work in container context
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
drop:
- NET_RAW
runAsUser: 33
{{- if eq .Values.RPSS_ENABLED "yes" }}
drop: ["ALL"]
{{- else }}
drop: ["NET_RAW"]
{{- end }}
add: ["NET_BIND_SERVICE"]
volumeMounts:
- mountPath: /var/www/html
name: nextcloud-aio-nextcloud

46
nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-deployment.yaml
View file

@ -24,6 +24,18 @@ spec:
labels:
io.kompose.service: nextcloud-aio-clamav
spec:
securityContext:
# The items below only work in pod context
fsGroup: 100
fsGroupChangePolicy: "OnRootMismatch"
# The items below work in both contexts
runAsUser: 100
runAsGroup: 100
runAsNonRoot: true
{{- if eq .Values.RPSS_ENABLED "yes" }}
seccompProfile:
type: RuntimeDefault
{{- end }}
initContainers:
- name: init-subpath
image: "alpine:3.20"
@ -31,20 +43,19 @@ spec:
- mkdir
- "-p"
- /nextcloud-aio-clamav/data
- /nextcloud-aio-clamav
volumeMounts:
- name: nextcloud-aio-clamav
mountPath: /nextcloud-aio-clamav
- name: init-volumes
image: "alpine:3.20"
command:
- chown
- 100:100
- "-R"
- /nextcloud-aio-clamav
volumeMounts:
- name: nextcloud-aio-clamav
mountPath: /nextcloud-aio-clamav
securityContext:
# The items below only work in container context
allowPrivilegeEscalation: false
capabilities:
{{- if eq .Values.RPSS_ENABLED "yes" }}
drop: ["ALL"]
{{- else }}
drop: ["NET_RAW"]
{{- end }}
add: ["NET_BIND_SERVICE"]
containers:
- env:
- name: CLAMD_STARTUP_TIMEOUT
@ -53,18 +64,21 @@ spec:
value: "{{ .Values.NEXTCLOUD_UPLOAD_LIMIT }}"
- name: TZ
value: "{{ .Values.TIMEZONE }}"
image: "nextcloud/aio-clamav:20241106_101604"
image: nextcloud/aio-clamav:20241106_101604
name: nextcloud-aio-clamav
ports:
- containerPort: 3310
protocol: TCP
securityContext:
# The items below only work in container context
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
drop:
- NET_RAW
runAsUser: 100
{{- if eq .Values.RPSS_ENABLED "yes" }}
drop: ["ALL"]
{{- else }}
drop: ["NET_RAW"]
{{- end }}
add: ["NET_BIND_SERVICE"]
volumeMounts:
- mountPath: /var/lib/clamav
subPath: data

7
nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-deployment.yaml
View file

@ -36,19 +36,14 @@ spec:
value: --o:ssl.enable=false --o:ssl.termination=true --o:mount_jail_tree=false --o:logging.level=warning --o:home_mode.enable=true {{ .Values.COLLABORA_SECCOMP_POLICY }} --o:remote_font_config.url=https://{{ .Values.NC_DOMAIN }}/apps/richdocuments/settings/fonts.json
- name: server_name
value: "{{ .Values.NC_DOMAIN }}"
image: "nextcloud/aio-collabora:20241106_101604"
image: nextcloud/aio-collabora:20241106_101604
name: nextcloud-aio-collabora
ports:
- containerPort: 9980
protocol: TCP
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
add:
- MKNOD
- SYS_ADMIN
drop:
- NET_RAW
runAsUser: 100
{{- end }}

52
nextcloud-aio-helm-chart/templates/nextcloud-aio-database-deployment.yaml
View file

@ -23,6 +23,18 @@ spec:
labels:
io.kompose.service: nextcloud-aio-database
spec:
securityContext:
# The items below only work in pod context
fsGroup: 999
fsGroupChangePolicy: "OnRootMismatch"
# The items below work in both contexts
runAsUser: 999
runAsGroup: 999
runAsNonRoot: true
{{- if eq .Values.RPSS_ENABLED "yes" }}
seccompProfile:
type: RuntimeDefault
{{- end }}
initContainers:
- name: init-subpath
image: "alpine:3.20"
@ -30,26 +42,19 @@ spec:
- mkdir
- "-p"
- /nextcloud-aio-database/data
- /nextcloud-aio-database
- /nextcloud-aio-database-dump
volumeMounts:
- name: nextcloud-aio-database-dump
mountPath: /nextcloud-aio-database-dump
- name: nextcloud-aio-database
mountPath: /nextcloud-aio-database
- name: init-volumes
image: "alpine:3.20"
command:
- chown
- 999:999
- "-R"
- /nextcloud-aio-database
- /nextcloud-aio-database-dump
volumeMounts:
- name: nextcloud-aio-database-dump
mountPath: /nextcloud-aio-database-dump
- name: nextcloud-aio-database
mountPath: /nextcloud-aio-database
securityContext:
# The items below only work in container context
allowPrivilegeEscalation: false
capabilities:
{{- if eq .Values.RPSS_ENABLED "yes" }}
drop: ["ALL"]
{{- else }}
drop: ["NET_RAW"]
{{- end }}
add: ["NET_BIND_SERVICE"]
containers:
- env:
- name: PGTZ
@ -62,18 +67,21 @@ spec:
value: nextcloud
- name: TZ
value: "{{ .Values.TIMEZONE }}"
image: "nextcloud/aio-postgresql:20241106_101604"
image: nextcloud/aio-postgresql:20241106_101604
name: nextcloud-aio-database
ports:
- containerPort: 5432
protocol: TCP
securityContext:
# The items below only work in container context
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
drop:
- NET_RAW
runAsUser: 999
{{- if eq .Values.RPSS_ENABLED "yes" }}
drop: ["ALL"]
{{- else }}
drop: ["NET_RAW"]
{{- end }}
add: ["NET_BIND_SERVICE"]
volumeMounts:
- mountPath: /var/lib/postgresql/data
subPath: data

8
nextcloud-aio-helm-chart/templates/nextcloud-aio-fulltextsearch-deployment.yaml
View file

@ -56,17 +56,11 @@ spec:
value: basic
- name: xpack.security.enabled
value: "false"
image: "nextcloud/aio-fulltextsearch:20241106_101604"
image: nextcloud/aio-fulltextsearch:20241106_101604
name: nextcloud-aio-fulltextsearch
ports:
- containerPort: 9200
protocol: TCP
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
drop:
- NET_RAW
volumeMounts:
- mountPath: /usr/share/elasticsearch/data
name: nextcloud-aio-elasticsearch

26
nextcloud-aio-helm-chart/templates/nextcloud-aio-imaginary-deployment.yaml
View file

@ -22,24 +22,38 @@ spec:
labels:
io.kompose.service: nextcloud-aio-imaginary
spec:
securityContext:
# The items below only work in pod context
fsGroup: 65534
fsGroupChangePolicy: "OnRootMismatch"
# The items below work in both contexts
runAsUser: 65534
runAsGroup: 65534
runAsNonRoot: true
{{- if eq .Values.RPSS_ENABLED "yes" }}
seccompProfile:
type: RuntimeDefault
{{- end }}
containers:
- env:
- name: IMAGINARY_SECRET
value: "{{ .Values.IMAGINARY_SECRET }}"
- name: TZ
value: "{{ .Values.TIMEZONE }}"
image: "nextcloud/aio-imaginary:20241106_101604"
image: nextcloud/aio-imaginary:20241106_101604
name: nextcloud-aio-imaginary
ports:
- containerPort: 9000
protocol: TCP
securityContext:
# The items below only work in container context
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
{{- if eq .Values.RPSS_ENABLED "yes" }}
drop: ["ALL"]
{{- else }}
drop: ["NET_RAW"]
{{- end }}
add:
- SYS_NICE
drop:
- NET_RAW
runAsUser: 65534
- NET_BIND_SERVICE
{{- end }}

46
nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-deployment.yaml
View file

@ -23,6 +23,20 @@ spec:
labels:
io.kompose.service: nextcloud-aio-nextcloud
spec:
{{- if eq .Values.RPSS_ENABLED "yes" }} # AIO-config - do not change this comment!
securityContext:
# The items below only work in pod context
fsGroup: 33
fsGroupChangePolicy: "OnRootMismatch"
# The items below work in both contexts
runAsUser: 33
runAsGroup: 33
runAsNonRoot: true
{{- if eq .Values.RPSS_ENABLED "yes" }}
seccompProfile:
type: RuntimeDefault
{{- end }}
{{- end }} # AIO-config - do not change this comment!
initContainers:
- name: "delete-lost-found"
image: "alpine:3.20"
@ -35,6 +49,19 @@ spec:
mountPath: /nextcloud-aio-nextcloud-trusted-cacerts
- name: nextcloud-aio-nextcloud
mountPath: /nextcloud-aio-nextcloud
{{- if eq .Values.RPSS_ENABLED "yes" }} # AIO-config - do not change this comment!
securityContext:
# The items below only work in container context
allowPrivilegeEscalation: false
capabilities:
{{- if eq .Values.RPSS_ENABLED "yes" }}
drop: ["ALL"]
{{- else }}
drop: ["NET_RAW"]
{{- end }}
add: ["NET_BIND_SERVICE"]
{{- end }} # AIO-config - do not change this comment!
# AIO settings start # Do not remove or change this line!
- name: init-volumes
image: "alpine:3.20"
command:
@ -47,6 +74,7 @@ spec:
mountPath: /nextcloud-aio-nextcloud-trusted-cacerts
- name: nextcloud-aio-nextcloud
mountPath: /nextcloud-aio-nextcloud
# AIO settings end # Do not remove or change this line!
containers:
- env:
- name: SMTP_HOST
@ -173,17 +201,25 @@ spec:
value: "{{ .Values.WHITEBOARD_ENABLED }}"
- name: WHITEBOARD_SECRET
value: "{{ .Values.WHITEBOARD_SECRET }}"
image: "nextcloud/aio-nextcloud:20241106_101604"
image: nextcloud/aio-nextcloud:20241106_101604
{{- if eq .Values.RPSS_ENABLED "yes" }} # AIO-config - do not change this comment!
securityContext:
# The items below only work in container context
allowPrivilegeEscalation: false
capabilities:
{{- if eq .Values.RPSS_ENABLED "yes" }}
drop: ["ALL"]
{{- else }}
drop: ["NET_RAW"]
{{- end }}
add: ["NET_BIND_SERVICE"]
{{- end }} # AIO-config - do not change this comment!
name: nextcloud-aio-nextcloud
ports:
- containerPort: 9000
protocol: TCP
- containerPort: 9001
protocol: TCP
securityContext:
capabilities:
drop:
- NET_RAW
volumeMounts:
- mountPath: /var/www/html
name: nextcloud-aio-nextcloud

35
nextcloud-aio-helm-chart/templates/nextcloud-aio-notify-push-deployment.yaml
View file

@ -23,16 +23,18 @@ spec:
labels:
io.kompose.service: nextcloud-aio-notify-push
spec:
initContainers:
- name: init-volumes
image: "alpine:3.20"
command:
- chmod
- "777"
- /nextcloud-aio-nextcloud
volumeMounts:
- name: nextcloud-aio-nextcloud
mountPath: /nextcloud-aio-nextcloud
securityContext:
# The items below only work in pod context
fsGroup: 33
fsGroupChangePolicy: "OnRootMismatch"
# The items below work in both contexts
runAsUser: 33
runAsGroup: 33
runAsNonRoot: true
{{- if eq .Values.RPSS_ENABLED "yes" }}
seccompProfile:
type: RuntimeDefault
{{- end }}
containers:
- env:
- name: NC_DOMAIN
@ -53,18 +55,21 @@ spec:
value: nextcloud-aio-redis
- name: REDIS_HOST_PASSWORD
value: "{{ .Values.REDIS_PASSWORD }}"
image: "nextcloud/aio-notify-push:20241106_101604"
image: nextcloud/aio-notify-push:20241106_101604
name: nextcloud-aio-notify-push
ports:
- containerPort: 7867
protocol: TCP
securityContext:
# The items below only work in container context
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
drop:
- NET_RAW
runAsUser: 33
{{- if eq .Values.RPSS_ENABLED "yes" }}
drop: ["ALL"]
{{- else }}
drop: ["NET_RAW"]
{{- end }}
add: ["NET_BIND_SERVICE"]
volumeMounts:
- mountPath: /nextcloud
name: nextcloud-aio-nextcloud

6
nextcloud-aio-helm-chart/templates/nextcloud-aio-onlyoffice-deployment.yaml
View file

@ -44,15 +44,11 @@ spec:
value: "{{ .Values.ONLYOFFICE_SECRET }}"
- name: TZ
value: "{{ .Values.TIMEZONE }}"
image: "nextcloud/aio-onlyoffice:20241106_101604"
image: nextcloud/aio-onlyoffice:20241106_101604
name: nextcloud-aio-onlyoffice
ports:
- containerPort: 80
protocol: TCP
securityContext:
capabilities:
drop:
- NET_RAW
volumeMounts:
- mountPath: /var/lib/onlyoffice
name: nextcloud-aio-onlyoffice

35
nextcloud-aio-helm-chart/templates/nextcloud-aio-redis-deployment.yaml
View file

@ -23,34 +23,39 @@ spec:
labels:
io.kompose.service: nextcloud-aio-redis
spec:
initContainers:
- name: init-volumes
image: "alpine:3.20"
command:
- chmod
- "777"
- /nextcloud-aio-redis
volumeMounts:
- name: nextcloud-aio-redis
mountPath: /nextcloud-aio-redis
securityContext:
# The items below only work in pod context
fsGroup: 999
fsGroupChangePolicy: "OnRootMismatch"
# The items below work in both contexts
runAsUser: 999
runAsGroup: 999
runAsNonRoot: true
{{- if eq .Values.RPSS_ENABLED "yes" }}
seccompProfile:
type: RuntimeDefault
{{- end }}
containers:
- env:
- name: REDIS_HOST_PASSWORD
value: "{{ .Values.REDIS_PASSWORD }}"
- name: TZ
value: "{{ .Values.TIMEZONE }}"
image: "nextcloud/aio-redis:20241106_101604"
image: nextcloud/aio-redis:20241106_101604
name: nextcloud-aio-redis
ports:
- containerPort: 6379
protocol: TCP
securityContext:
# The items below only work in container context
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
drop:
- NET_RAW
runAsUser: 999
{{- if eq .Values.RPSS_ENABLED "yes" }}
drop: ["ALL"]
{{- else }}
drop: ["NET_RAW"]
{{- end }}
add: ["NET_BIND_SERVICE"]
volumeMounts:
- mountPath: /data
name: nextcloud-aio-redis

25
nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-deployment.yaml
View file

@ -22,6 +22,18 @@ spec:
labels:
io.kompose.service: nextcloud-aio-talk
spec:
securityContext:
# The items below only work in pod context
fsGroup: 1000
fsGroupChangePolicy: "OnRootMismatch"
# The items below work in both contexts
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
{{- if eq .Values.RPSS_ENABLED "yes" }}
seccompProfile:
type: RuntimeDefault
{{- end }}
containers:
- env:
- name: TALK_MAX_STREAM_BITRATE
@ -42,7 +54,7 @@ spec:
value: "{{ .Values.TURN_SECRET }}"
- name: TZ
value: "{{ .Values.TIMEZONE }}"
image: "nextcloud/aio-talk:20241106_101604"
image: nextcloud/aio-talk:20241106_101604
name: nextcloud-aio-talk
ports:
- containerPort: {{ .Values.TALK_PORT }}
@ -52,10 +64,13 @@ spec:
- containerPort: 8081
protocol: TCP
securityContext:
# The items below only work in container context
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
drop:
- NET_RAW
runAsUser: 1000
{{- if eq .Values.RPSS_ENABLED "yes" }}
drop: ["ALL"]
{{- else }}
drop: ["NET_RAW"]
{{- end }}
add: ["NET_BIND_SERVICE"]
{{- end }}

25
nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-recording-deployment.yaml
View file

@ -22,6 +22,18 @@ spec:
labels:
io.kompose.service: nextcloud-aio-talk-recording
spec:
securityContext:
# The items below only work in pod context
fsGroup: 122
fsGroupChangePolicy: "OnRootMismatch"
# The items below work in both contexts
runAsUser: 122
runAsGroup: 122
runAsNonRoot: true
{{- if eq .Values.RPSS_ENABLED "yes" }}
seccompProfile:
type: RuntimeDefault
{{- end }}
containers:
- env:
- name: INTERNAL_SECRET
@ -32,16 +44,19 @@ spec:
value: "{{ .Values.RECORDING_SECRET }}"
- name: TZ
value: "{{ .Values.TIMEZONE }}"
image: "nextcloud/aio-talk-recording:20241106_101604"
image: nextcloud/aio-talk-recording:20241106_101604
name: nextcloud-aio-talk-recording
ports:
- containerPort: 1234
protocol: TCP
securityContext:
# The items below only work in container context
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
drop:
- NET_RAW
runAsUser: 122
{{- if eq .Values.RPSS_ENABLED "yes" }}
drop: ["ALL"]
{{- else }}
drop: ["NET_RAW"]
{{- end }}
add: ["NET_BIND_SERVICE"]
{{- end }}

25
nextcloud-aio-helm-chart/templates/nextcloud-aio-whiteboard-deployment.yaml
View file

@ -22,6 +22,18 @@ spec:
labels:
io.kompose.service: nextcloud-aio-whiteboard
spec:
securityContext:
# The items below only work in pod context
fsGroup: 65534
fsGroupChangePolicy: "OnRootMismatch"
# The items below work in both contexts
runAsUser: 65534
runAsGroup: 65534
runAsNonRoot: true
{{- if eq .Values.RPSS_ENABLED "yes" }}
seccompProfile:
type: RuntimeDefault
{{- end }}
containers:
- env:
- name: JWT_SECRET_KEY
@ -36,16 +48,19 @@ spec:
value: redis
- name: TZ
value: "{{ .Values.TIMEZONE }}"
image: "nextcloud/aio-whiteboard:20241106_101604"
image: nextcloud/aio-whiteboard:20241106_101604
name: nextcloud-aio-whiteboard
ports:
- containerPort: 3002
protocol: TCP
securityContext:
# The items below only work in container context
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
drop:
- NET_RAW
runAsUser: 65534
{{- if eq .Values.RPSS_ENABLED "yes" }}
drop: ["ALL"]
{{- else }}
drop: ["NET_RAW"]
{{- end }}
add: ["NET_BIND_SERVICE"]
{{- end }}