eightball/all-in-one
1
0
Fork 0
mirror of https://github.com/nextcloud/all-in-one.git synced 2025-12-19 22:16:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10

helm: refactor securityContext to support restricted pod security standard

Browse source 
Signed-off-by: Simon L. <szaimen@e.mail.de>
This commit is contained in:
Simon L. 2024-11-15 16:52:55 +01:00
parent f7de6f6704
commit cf6adc1075
16 changed files with 337 additions and 152 deletions
Download patch file Download diff file Expand all files Collapse all files

35
nextcloud-aio-helm-chart/templates/nextcloud-aio-notify-push-deployment.yaml
View file

@ -23,16 +23,18 @@ spec:
labels:
io.kompose.service: nextcloud-aio-notify-push
spec:
initContainers:
- name: init-volumes
image: "alpine:3.20"
command:
- chmod
- "777"
- /nextcloud-aio-nextcloud
volumeMounts:
- name: nextcloud-aio-nextcloud
mountPath: /nextcloud-aio-nextcloud
securityContext:
# The items below only work in pod context
fsGroup: 33
fsGroupChangePolicy: "OnRootMismatch"
# The items below work in both contexts
runAsUser: 33
runAsGroup: 33
runAsNonRoot: true
{{- if eq .Values.RPSS_ENABLED "yes" }}
seccompProfile:
type: RuntimeDefault
{{- end }}
containers:
- env:
- name: NC_DOMAIN
@ -53,18 +55,21 @@ spec:
value: nextcloud-aio-redis
- name: REDIS_HOST_PASSWORD
value: "{{ .Values.REDIS_PASSWORD }}"
image: "nextcloud/aio-notify-push:20241106_101604"
image: nextcloud/aio-notify-push:20241106_101604
name: nextcloud-aio-notify-push
ports:
- containerPort: 7867
protocol: TCP
securityContext:
# The items below only work in container context
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
drop:
- NET_RAW
runAsUser: 33
{{- if eq .Values.RPSS_ENABLED "yes" }}
drop: ["ALL"]
{{- else }}
drop: ["NET_RAW"]
{{- end }}
add: ["NET_BIND_SERVICE"]
volumeMounts:
- mountPath: /nextcloud
name: nextcloud-aio-nextcloud