diff --git a/helmfile/apps/collabora/values.yaml.gotmpl b/helmfile/apps/collabora/values.yaml.gotmpl index 22c95cd8..9def3aca 100644 --- a/helmfile/apps/collabora/values.yaml.gotmpl +++ b/helmfile/apps/collabora/values.yaml.gotmpl @@ -126,7 +126,7 @@ securityContext: - "NET_RAW" - "SYS_CHROOT" - "MKNOD" - + seLinuxOptions: {{ .Values.seLinuxOptions.collabora }} serviceAccount: create: true ... diff --git a/helmfile/apps/cryptpad/values.yaml.gotmpl b/helmfile/apps/cryptpad/values.yaml.gotmpl index 4f2f014e..3a71f900 100644 --- a/helmfile/apps/cryptpad/values.yaml.gotmpl +++ b/helmfile/apps/cryptpad/values.yaml.gotmpl @@ -70,6 +70,7 @@ securityContext: runAsNonRoot: true runAsUser: 4001 runAsGroup: 4001 + seLinuxOptions: {{ .Values.seLinuxOptions.cryptpad }} serviceAccount: create: true diff --git a/helmfile/apps/element/values-element.yaml.gotmpl b/helmfile/apps/element/values-element.yaml.gotmpl index 8769feb4..d23e605b 100644 --- a/helmfile/apps/element/values-element.yaml.gotmpl +++ b/helmfile/apps/element/values-element.yaml.gotmpl @@ -110,6 +110,7 @@ containerSecurityContext: runAsUser: 101 seccompProfile: type: "RuntimeDefault" + seLinuxOptions: {{ .Values.seLinuxOptions.element }} global: domain: {{ .Values.global.domain | quote }} diff --git a/helmfile/apps/element/values-matrix-neoboard-widget.yaml.gotmpl b/helmfile/apps/element/values-matrix-neoboard-widget.yaml.gotmpl index 67b46f34..55195f71 100644 --- a/helmfile/apps/element/values-matrix-neoboard-widget.yaml.gotmpl +++ b/helmfile/apps/element/values-matrix-neoboard-widget.yaml.gotmpl @@ -14,6 +14,7 @@ containerSecurityContext: runAsUser: 101 seccompProfile: type: "RuntimeDefault" + seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoBoardWidget }} global: domain: {{ .Values.global.domain | quote }} diff --git a/helmfile/apps/element/values-matrix-neochoice-widget.yaml.gotmpl b/helmfile/apps/element/values-matrix-neochoice-widget.yaml.gotmpl index e1ff1269..ec614789 100644 --- a/helmfile/apps/element/values-matrix-neochoice-widget.yaml.gotmpl +++ b/helmfile/apps/element/values-matrix-neochoice-widget.yaml.gotmpl @@ -14,6 +14,7 @@ containerSecurityContext: runAsUser: 101 seccompProfile: type: "RuntimeDefault" + seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoChoiceWidget }} global: domain: {{ .Values.global.domain | quote }} diff --git a/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl b/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl index c7162926..a8f1af9a 100644 --- a/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl +++ b/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl @@ -35,5 +35,6 @@ securityContext: runAsUser: 101 seccompProfile: type: "RuntimeDefault" + seLinuxOptions: {{ .Values.seLinuxOptions.synapseCreateUser }} ... diff --git a/helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl b/helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl index 977564ce..e72ecb12 100644 --- a/helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl +++ b/helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl @@ -35,6 +35,7 @@ containerSecurityContext: runAsUser: 101 seccompProfile: type: "RuntimeDefault" + seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoDateFixBot }} extraEnvVars: - name: "ACCESS_TOKEN" diff --git a/helmfile/apps/element/values-matrix-neodatefix-widget.yaml.gotmpl b/helmfile/apps/element/values-matrix-neodatefix-widget.yaml.gotmpl index 6c2b6a60..564a56af 100644 --- a/helmfile/apps/element/values-matrix-neodatefix-widget.yaml.gotmpl +++ b/helmfile/apps/element/values-matrix-neodatefix-widget.yaml.gotmpl @@ -18,6 +18,7 @@ containerSecurityContext: runAsUser: 101 seccompProfile: type: "RuntimeDefault" + seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoDateFixWidget }} global: domain: {{ .Values.global.domain | quote }} diff --git a/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl b/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl index a81943ec..8f8c2fba 100644 --- a/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl +++ b/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl @@ -35,4 +35,5 @@ securityContext: runAsUser: 101 seccompProfile: type: "RuntimeDefault" + seLinuxOptions: {{ .Values.seLinuxOptions.synapseCreateUser }} ... diff --git a/helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl b/helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl index d4e7ac2f..ca23138c 100644 --- a/helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl +++ b/helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl @@ -14,6 +14,7 @@ containerSecurityContext: runAsUser: 0 seccompProfile: type: "RuntimeDefault" + seLinuxOptions: {{ .Values.seLinuxOptions.matrixUserVerificationService }} extraEnvVars: - name: "UVS_ACCESS_TOKEN" diff --git a/helmfile/apps/element/values-synapse-web.yaml.gotmpl b/helmfile/apps/element/values-synapse-web.yaml.gotmpl index 7373bb8e..271736bf 100644 --- a/helmfile/apps/element/values-synapse-web.yaml.gotmpl +++ b/helmfile/apps/element/values-synapse-web.yaml.gotmpl @@ -14,6 +14,7 @@ containerSecurityContext: runAsUser: 101 seccompProfile: type: "RuntimeDefault" + seLinuxOptions: {{ .Values.seLinuxOptions.synapseWeb }} global: domain: {{ .Values.global.domain | quote }} diff --git a/helmfile/apps/element/values-synapse.yaml.gotmpl b/helmfile/apps/element/values-synapse.yaml.gotmpl index 40a3d02f..4f815a4e 100644 --- a/helmfile/apps/element/values-synapse.yaml.gotmpl +++ b/helmfile/apps/element/values-synapse.yaml.gotmpl @@ -79,6 +79,7 @@ containerSecurityContext: runAsGroup: 10991 seccompProfile: type: "RuntimeDefault" + seLinuxOptions: {{ .Values.seLinuxOptions.synapse }} global: domain: {{ .Values.global.domain | quote }} diff --git a/helmfile/apps/element/values-well-known.yaml.gotmpl b/helmfile/apps/element/values-well-known.yaml.gotmpl index 267fc14f..2dbb51c9 100644 --- a/helmfile/apps/element/values-well-known.yaml.gotmpl +++ b/helmfile/apps/element/values-well-known.yaml.gotmpl @@ -18,6 +18,7 @@ containerSecurityContext: runAsUser: 101 seccompProfile: type: "RuntimeDefault" + seLinuxOptions: {{ .Values.seLinuxOptions.wellKnown }} global: domain: {{ .Values.global.domain | quote }} diff --git a/helmfile/apps/intercom-service/values.yaml.gotmpl b/helmfile/apps/intercom-service/values.yaml.gotmpl index 67624896..de502176 100644 --- a/helmfile/apps/intercom-service/values.yaml.gotmpl +++ b/helmfile/apps/intercom-service/values.yaml.gotmpl @@ -14,6 +14,7 @@ containerSecurityContext: type: "RuntimeDefault" readOnlyRootFilesystem: true runAsNonRoot: true + seLinuxOptions: {{ .Values.seLinuxOptions.intercom }} global: domain: {{ .Values.global.domain | quote }} diff --git a/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl b/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl index 8a64dc92..4e836ded 100644 --- a/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl +++ b/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl @@ -23,6 +23,7 @@ containerSecurityContext: runAsUser: 1993 runAsGroup: 1993 runAsNonRoot: true + seLinuxOptions: {{ .Values.seLinuxOptions.jitsiKeycloakAdapter }} cleanup: deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }} @@ -74,6 +75,7 @@ jitsi: runAsUser: 0 seccompProfile: type: "RuntimeDefault" + seLinuxOptions: {{ .Values.seLinuxOptions.jitsi }} prosody: image: repository: "{{ .Values.global.imageRegistry | default .Values.images.prosody.registry }}/{{ .Values.images.prosody.repository }}" @@ -121,6 +123,7 @@ jitsi: runAsUser: 0 seccompProfile: type: "RuntimeDefault" + seLinuxOptions: {{ .Values.seLinuxOptions.prosody }} jicofo: replicaCount: {{ .Values.replicas.jicofo }} image: @@ -142,6 +145,7 @@ jitsi: runAsUser: 0 seccompProfile: type: "RuntimeDefault" + seLinuxOptions: {{ .Values.seLinuxOptions.jicofo }} jvb: replicaCount: {{ .Values.replicas.jvb }} image: @@ -164,6 +168,7 @@ jitsi: runAsUser: 0 seccompProfile: type: "RuntimeDefault" + seLinuxOptions: {{ .Values.seLinuxOptions.jvb }} jibri: replicaCount: {{ .Values.replicas.jibri }} image: @@ -201,6 +206,7 @@ patchJVB: runAsNonRoot: true seccompProfile: type: "RuntimeDefault" + seLinuxOptions: {{ .Values.seLinuxOptions.jitsiPatchJVB }} image: imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} registry: {{ .Values.global.imageRegistry | default .Values.images.jitsiPatchJVB.registry | quote }} diff --git a/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl b/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl index b50f9bb1..418e5615 100644 --- a/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl +++ b/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl @@ -87,6 +87,7 @@ containerSecurityContext: type: "RuntimeDefault" readOnlyRootFilesystem: false runAsNonRoot: true + seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudManagement }} debug: loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"1"{{ end }} diff --git a/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl b/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl index d5cac32e..e183b7ee 100644 --- a/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl +++ b/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl @@ -25,6 +25,7 @@ exporter: type: "RuntimeDefault" readOnlyRootFilesystem: true runAsNonRoot: true + seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudExporter }} image: registry: {{ .Values.global.imageRegistry | default .Values.images.nextcloudExporter.registry | quote }} repository: "{{ .Values.images.nextcloudExporter.repository }}" @@ -77,6 +78,7 @@ php: type: "RuntimeDefault" readOnlyRootFilesystem: true runAsNonRoot: true + seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudPHP }} cron: successfulJobsHistoryLimit: {{ if .Values.debug.enabled }}"3"{{ else }}"0"{{ end }} debug: @@ -116,6 +118,7 @@ apache2: type: "RuntimeDefault" readOnlyRootFilesystem: true runAsNonRoot: true + seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudApache2 }} ingress: enabled: {{ .Values.ingress.enabled }} ingressClassName: {{ .Values.ingress.ingressClassName | quote }} diff --git a/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl b/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl index 1386f6e7..6dc15720 100644 --- a/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl +++ b/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl @@ -66,6 +66,7 @@ containerSecurityContext: readOnlyRootFilesystem: true seccompProfile: type: "RuntimeDefault" + seLinuxOptions: {{ .Values.seLinuxOptions.dovecot }} podSecurityContext: enabled: true diff --git a/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl b/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl index e2e8a36c..9bb8b68c 100644 --- a/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl +++ b/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl @@ -40,6 +40,7 @@ nextcloud-integration-ui: privileged: false seccompProfile: type: "RuntimeDefault" + seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeNextcloudIntegrationUI }} public-sector-ui: image: @@ -66,6 +67,7 @@ public-sector-ui: privileged: false seccompProfile: type: "RuntimeDefault" + seLinuxOptions: {{ .Values.seLinuxOptions.openxchangePublicSectorUI }} appsuite: appsuite-toolkit: @@ -129,6 +131,7 @@ appsuite: privileged: false seccompProfile: type: "RuntimeDefault" + seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeGotenberg }} hooks: beforeAppsuiteStart: create-guard-dir.sh: | @@ -353,6 +356,7 @@ appsuite: privileged: false seccompProfile: type: "RuntimeDefault" + seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreUI }} core-ui-middleware: enabled: true @@ -394,7 +398,7 @@ appsuite: privileged: false seccompProfile: type: "RuntimeDefault" - + seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreUIMiddleware }} core-cacheservice: enabled: false @@ -424,6 +428,7 @@ appsuite: - "ALL" seccompProfile: type: "RuntimeDefault" + seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeDocumentConverter }} core-documents-collaboration: enabled: false @@ -465,6 +470,7 @@ appsuite: privileged: false seccompProfile: type: "RuntimeDefault" + seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreGuidedtours }} core-imageconverter: enabled: true @@ -494,6 +500,7 @@ appsuite: - "ALL" seccompProfile: type: "RuntimeDefault" + seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeImageConverter }} guard-ui: enabled: true @@ -519,7 +526,7 @@ appsuite: privileged: false seccompProfile: type: "RuntimeDefault" - + seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeGuardUI }} core-spellcheck: enabled: false @@ -548,4 +555,5 @@ appsuite: privileged: false seccompProfile: type: "RuntimeDefault" + seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreUserGuide }} ... diff --git a/helmfile/apps/openproject-bootstrap/values.yaml.gotmpl b/helmfile/apps/openproject-bootstrap/values.yaml.gotmpl index 259d8bdb..949f8035 100644 --- a/helmfile/apps/openproject-bootstrap/values.yaml.gotmpl +++ b/helmfile/apps/openproject-bootstrap/values.yaml.gotmpl @@ -38,6 +38,7 @@ containerSecurityContext: type: "RuntimeDefault" readOnlyRootFilesystem: true runAsNonRoot: true + seLinuxOptions: {{ .Values.seLinuxOptions.openprojectBootstrap }} image: registry: {{ .Values.global.imageRegistry | default .Values.images.openprojectBootstrap.registry | quote }} diff --git a/helmfile/apps/openproject/values.yaml.gotmpl b/helmfile/apps/openproject/values.yaml.gotmpl index b90d1bb1..40b2b2fd 100644 --- a/helmfile/apps/openproject/values.yaml.gotmpl +++ b/helmfile/apps/openproject/values.yaml.gotmpl @@ -20,6 +20,7 @@ containerSecurityContext: type: "RuntimeDefault" readOnlyRootFilesystem: true runAsNonRoot: true + seLinuxOptions: {{ .Values.seLinuxOptions.openproject }} environment: # For more details and more options see diff --git a/helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl b/helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl index 5a0e04c5..e4553980 100644 --- a/helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl +++ b/helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl @@ -83,6 +83,7 @@ securityContext: runAsGroup: 0 runAsNonRoot: false readOnlyRootFilesystem: false + seLinuxOptions: {{ .Values.seLinuxOptions.oxConnector }} serviceAccount: create: true diff --git a/helmfile/apps/services/values-clamav-distributed.yaml.gotmpl b/helmfile/apps/services/values-clamav-distributed.yaml.gotmpl index c82f43a2..0a9ffd65 100644 --- a/helmfile/apps/services/values-clamav-distributed.yaml.gotmpl +++ b/helmfile/apps/services/values-clamav-distributed.yaml.gotmpl @@ -15,6 +15,7 @@ clamd: type: "RuntimeDefault" readOnlyRootFilesystem: true runAsNonRoot: true + seLinuxOptions: {{ .Values.seLinuxOptions.clamd }} image: registry: {{ .Values.global.imageRegistry | default .Values.images.clamd.registry | quote }} repository: {{ .Values.images.clamd.repository | quote }} @@ -40,6 +41,7 @@ containerSecurityContext: capabilities: drop: [] privileged: false + seLinuxOptions: {{ .Values.seLinuxOptions.clamav }} freshclam: containerSecurityContext: @@ -55,6 +57,7 @@ freshclam: type: "RuntimeDefault" readOnlyRootFilesystem: true runAsNonRoot: true + seLinuxOptions: {{ .Values.seLinuxOptions.freshclam }} image: registry: {{ .Values.global.imageRegistry | default .Values.images.freshclam.registry | quote }} repository: {{ .Values.images.freshclam.repository | quote }} @@ -86,6 +89,7 @@ icap: type: "RuntimeDefault" readOnlyRootFilesystem: true runAsNonRoot: true + seLinuxOptions: {{ .Values.seLinuxOptions.icap }} image: registry: {{ .Values.global.imageRegistry | default .Values.images.icap.registry | quote }} repository: {{ .Values.images.icap.repository | quote }} @@ -113,6 +117,7 @@ milter: type: "RuntimeDefault" readOnlyRootFilesystem: true runAsNonRoot: true + seLinuxOptions: {{ .Values.seLinuxOptions.milter }} image: registry: {{ .Values.global.imageRegistry | default .Values.images.milter.registry | quote }} repository: {{ .Values.images.milter.repository | quote }} diff --git a/helmfile/apps/services/values-clamav-simple.yaml.gotmpl b/helmfile/apps/services/values-clamav-simple.yaml.gotmpl index b2a69fff..e60d00f5 100644 --- a/helmfile/apps/services/values-clamav-simple.yaml.gotmpl +++ b/helmfile/apps/services/values-clamav-simple.yaml.gotmpl @@ -14,6 +14,7 @@ containerSecurityContext: type: "RuntimeDefault" readOnlyRootFilesystem: true runAsNonRoot: true + seLinuxOptions: {{ .Values.seLinuxOptions.clamavSimple }} global: imagePullSecrets: diff --git a/helmfile/apps/services/values-mariadb.yaml.gotmpl b/helmfile/apps/services/values-mariadb.yaml.gotmpl index 153501f1..c7f57a61 100644 --- a/helmfile/apps/services/values-mariadb.yaml.gotmpl +++ b/helmfile/apps/services/values-mariadb.yaml.gotmpl @@ -17,6 +17,7 @@ containerSecurityContext: type: "RuntimeDefault" readOnlyRootFilesystem: true runAsNonRoot: true + seLinuxOptions: {{ .Values.seLinuxOptions.mariadb }} global: imagePullSecrets: diff --git a/helmfile/apps/services/values-memcached.yaml.gotmpl b/helmfile/apps/services/values-memcached.yaml.gotmpl index a9f10c31..9dcb834a 100644 --- a/helmfile/apps/services/values-memcached.yaml.gotmpl +++ b/helmfile/apps/services/values-memcached.yaml.gotmpl @@ -14,6 +14,7 @@ containerSecurityContext: seccompProfile: type: "RuntimeDefault" readOnlyRootFilesystem: true + seLinuxOptions: {{ .Values.seLinuxOptions.memcached }} global: imagePullSecrets: diff --git a/helmfile/apps/services/values-minio.yaml.gotmpl b/helmfile/apps/services/values-minio.yaml.gotmpl index 65f0f887..b61ff2c1 100644 --- a/helmfile/apps/services/values-minio.yaml.gotmpl +++ b/helmfile/apps/services/values-minio.yaml.gotmpl @@ -29,6 +29,7 @@ containerSecurityContext: readOnlyRootFilesystem: false seccompProfile: type: "RuntimeDefault" + seLinuxOptions: {{ .Values.seLinuxOptions.minio }} defaultBuckets: "openproject,openxchange,ums,nextcloud" diff --git a/helmfile/apps/services/values-postfix.yaml.gotmpl b/helmfile/apps/services/values-postfix.yaml.gotmpl index aa13e838..7001bb15 100644 --- a/helmfile/apps/services/values-postfix.yaml.gotmpl +++ b/helmfile/apps/services/values-postfix.yaml.gotmpl @@ -17,6 +17,7 @@ containerSecurityContext: runAsUser: 0 runAsGroup: 0 privileged: true + seLinuxOptions: {{ .Values.seLinuxOptions.postfix }} global: imagePullSecrets: diff --git a/helmfile/apps/services/values-postgresql.yaml.gotmpl b/helmfile/apps/services/values-postgresql.yaml.gotmpl index 16210868..ace3b0e0 100644 --- a/helmfile/apps/services/values-postgresql.yaml.gotmpl +++ b/helmfile/apps/services/values-postgresql.yaml.gotmpl @@ -14,6 +14,7 @@ containerSecurityContext: type: "RuntimeDefault" readOnlyRootFilesystem: true runAsNonRoot: true + seLinuxOptions: {{ .Values.seLinuxOptions.postgresql }} job: diff --git a/helmfile/apps/services/values-redis.yaml.gotmpl b/helmfile/apps/services/values-redis.yaml.gotmpl index 5848cadf..55952964 100644 --- a/helmfile/apps/services/values-redis.yaml.gotmpl +++ b/helmfile/apps/services/values-redis.yaml.gotmpl @@ -30,6 +30,7 @@ master: capabilities: drop: - "ALL" + seLinuxOptions: {{ .Values.seLinuxOptions.redis }} count: {{ .Values.replicas.redis }} persistence: size: {{ .Values.persistence.size.redis | quote }} diff --git a/helmfile/apps/univention-management-stack/values-guardian-authorization-api.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-guardian-authorization-api.yaml.gotmpl index f1ec4ce5..1c78d8d5 100644 --- a/helmfile/apps/univention-management-stack/values-guardian-authorization-api.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-guardian-authorization-api.yaml.gotmpl @@ -55,5 +55,6 @@ securityContext: runAsGroup: 1000 runAsNonRoot: true readOnlyRootFilesystem: false + seLinuxOptions: {{ .Values.seLinuxOptions.umsGuardianAuthorizationApi }} ... diff --git a/helmfile/apps/univention-management-stack/values-guardian-management-api.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-guardian-management-api.yaml.gotmpl index 987890a0..03c78ff1 100644 --- a/helmfile/apps/univention-management-stack/values-guardian-management-api.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-guardian-management-api.yaml.gotmpl @@ -73,5 +73,6 @@ securityContext: runAsGroup: 1000 runAsNonRoot: true readOnlyRootFilesystem: false + seLinuxOptions: {{ .Values.seLinuxOptions.umsGuardianManagementApi }} ... diff --git a/helmfile/apps/univention-management-stack/values-guardian-management-ui.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-guardian-management-ui.yaml.gotmpl index cc5a9a5f..fdc2043b 100644 --- a/helmfile/apps/univention-management-stack/values-guardian-management-ui.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-guardian-management-ui.yaml.gotmpl @@ -46,5 +46,6 @@ securityContext: runAsGroup: 0 runAsNonRoot: false readOnlyRootFilesystem: false + seLinuxOptions: {{ .Values.seLinuxOptions.umsGuardianManagementUi }} ... diff --git a/helmfile/apps/univention-management-stack/values-ldap-notifier.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-ldap-notifier.yaml.gotmpl index 2f85cfe2..431213d3 100644 --- a/helmfile/apps/univention-management-stack/values-ldap-notifier.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-ldap-notifier.yaml.gotmpl @@ -27,6 +27,7 @@ securityContext: runAsUser: 0 runAsGroup: 0 runAsNonRoot: false + seLinuxOptions: {{ .Values.seLinuxOptions.umsLdapNotifier }} volumes: claims: diff --git a/helmfile/apps/univention-management-stack/values-ldap-server.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-ldap-server.yaml.gotmpl index 23876e15..9328883f 100644 --- a/helmfile/apps/univention-management-stack/values-ldap-server.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-ldap-server.yaml.gotmpl @@ -76,6 +76,7 @@ securityContext: runAsUser: 0 runAsGroup: 0 runAsNonRoot: false + seLinuxOptions: {{ .Values.seLinuxOptions.umsLdapServer }} service: type: "ClusterIP" diff --git a/helmfile/apps/univention-management-stack/values-notifications-api.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-notifications-api.yaml.gotmpl index c8777c0f..7cdc5e38 100644 --- a/helmfile/apps/univention-management-stack/values-notifications-api.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-notifications-api.yaml.gotmpl @@ -44,5 +44,6 @@ securityContext: runAsUser: 1000 runAsGroup: 1000 runAsNonRoot: false + seLinuxOptions: {{ .Values.seLinuxOptions.umsNotificationsApi }} ... diff --git a/helmfile/apps/univention-management-stack/values-open-policy-agent.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-open-policy-agent.yaml.gotmpl index 64085de2..2e440c88 100644 --- a/helmfile/apps/univention-management-stack/values-open-policy-agent.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-open-policy-agent.yaml.gotmpl @@ -46,5 +46,6 @@ securityContext: runAsUser: 1000 runAsGroup: 1000 runAsNonRoot: true + seLinuxOptions: {{ .Values.seLinuxOptions.umsOpenPolicyAgent }} ... diff --git a/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl index 71203f63..001c7365 100644 --- a/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl @@ -597,6 +597,7 @@ containerSecurityContext: type: "RuntimeDefault" readOnlyRootFilesystem: true runAsNonRoot: true + seLinuxOptions: {{ .Values.seLinuxOptions.opendeskKeycloakBootstrap }} podAnnotations: intents.otterize.com/service-name: "ums-keycloak-bootstrap" diff --git a/helmfile/apps/univention-management-stack/values-portal-frontend.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-portal-frontend.yaml.gotmpl index 3fcd559e..bbbc6b07 100644 --- a/helmfile/apps/univention-management-stack/values-portal-frontend.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-portal-frontend.yaml.gotmpl @@ -110,5 +110,5 @@ securityContext: runAsUser: 0 runAsGroup: 0 runAsNonRoot: false - + seLinuxOptions: {{ .Values.seLinuxOptions.umsPortalFrontend }} ... diff --git a/helmfile/apps/univention-management-stack/values-portal-listener.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-portal-listener.yaml.gotmpl index b5fd54e9..e69da5ab 100644 --- a/helmfile/apps/univention-management-stack/values-portal-listener.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-portal-listener.yaml.gotmpl @@ -75,5 +75,6 @@ securityContext: runAsUser: 0 runAsGroup: 0 runAsNonRoot: false + seLinuxOptions: {{ .Values.seLinuxOptions.umsPortalListener }} ... diff --git a/helmfile/apps/univention-management-stack/values-portal-server.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-portal-server.yaml.gotmpl index fe093d45..c842ef49 100644 --- a/helmfile/apps/univention-management-stack/values-portal-server.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-portal-server.yaml.gotmpl @@ -50,5 +50,6 @@ securityContext: runAsUser: 0 runAsGroup: 0 runAsNonRoot: false + seLinuxOptions: {{ .Values.seLinuxOptions.umsPortalServer }} ... diff --git a/helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl index f1ae172c..029c00a5 100644 --- a/helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl @@ -28,6 +28,7 @@ dispatcher: runAsGroup: 1000 runAsNonRoot: true readOnlyRootFilesystem: false + seLinuxOptions: {{ .Values.seLinuxOptions.umsProvisioningDispatcher }} events-and-consumer-api: image: @@ -62,6 +63,7 @@ events-and-consumer-api: runAsGroup: 1000 runAsNonRoot: true readOnlyRootFilesystem: false + seLinuxOptions: {{ .Values.seLinuxOptions.umsProvisioningEventsAndConsumerApi }} udm-listener: image: @@ -104,6 +106,7 @@ udm-listener: runAsGroup: 0 runAsNonRoot: false readOnlyRootFilesystem: false + seLinuxOptions: {{ .Values.seLinuxOptions.umsProvisioningUdmListener }} nats: global: diff --git a/helmfile/apps/univention-management-stack/values-selfservice-listener.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-selfservice-listener.yaml.gotmpl index a8050665..14b11cfc 100644 --- a/helmfile/apps/univention-management-stack/values-selfservice-listener.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-selfservice-listener.yaml.gotmpl @@ -73,5 +73,6 @@ securityContext: runAsUser: 0 runAsGroup: 0 runAsNonRoot: false + seLinuxOptions: {{ .Values.seLinuxOptions.umsSelfserviceListener }} ... diff --git a/helmfile/apps/univention-management-stack/values-stack-data-swp.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-stack-data-swp.yaml.gotmpl index 81760a4a..c67ca381 100644 --- a/helmfile/apps/univention-management-stack/values-stack-data-swp.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-stack-data-swp.yaml.gotmpl @@ -29,6 +29,7 @@ securityContext: runAsUser: 0 runAsGroup: 0 runAsNonRoot: false + seLinuxOptions: {{ .Values.seLinuxOptions.umsDataLoader }} stackDataContext: ldapBase: "dc=swp-ldap,dc=internal" diff --git a/helmfile/apps/univention-management-stack/values-stack-data-ums.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-stack-data-ums.yaml.gotmpl index 7d111150..11dfc936 100644 --- a/helmfile/apps/univention-management-stack/values-stack-data-ums.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-stack-data-ums.yaml.gotmpl @@ -29,6 +29,7 @@ securityContext: runAsUser: 0 runAsGroup: 0 runAsNonRoot: false + seLinuxOptions: {{ .Values.seLinuxOptions.umsDataLoader }} stackDataContext: idpSamlMetadataUrlInternal: null diff --git a/helmfile/apps/univention-management-stack/values-store-dav.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-store-dav.yaml.gotmpl index 85b749e6..560cd975 100644 --- a/helmfile/apps/univention-management-stack/values-store-dav.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-store-dav.yaml.gotmpl @@ -53,6 +53,7 @@ securityContext: runAsUser: 0 runAsGroup: 0 runAsNonRoot: false + seLinuxOptions: {{ .Values.seLinuxOptions.umsStoreDav }} storeDav: auth: diff --git a/helmfile/apps/univention-management-stack/values-udm-rest-api.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-udm-rest-api.yaml.gotmpl index f650d68c..d1b151d0 100644 --- a/helmfile/apps/univention-management-stack/values-udm-rest-api.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-udm-rest-api.yaml.gotmpl @@ -51,6 +51,7 @@ securityContext: runAsUser: 0 runAsGroup: 0 runAsNonRoot: false + seLinuxOptions: {{ .Values.seLinuxOptions.umsUdmRestApi }} udmRestApi: # TODO: Stub value currently diff --git a/helmfile/apps/univention-management-stack/values-umc-gateway.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-umc-gateway.yaml.gotmpl index a8547eb9..4b8a861a 100644 --- a/helmfile/apps/univention-management-stack/values-umc-gateway.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-umc-gateway.yaml.gotmpl @@ -58,5 +58,6 @@ securityContext: runAsUser: 0 runAsGroup: 0 runAsNonRoot: false + seLinuxOptions: {{ .Values.seLinuxOptions.umsUmcGateway }} ... diff --git a/helmfile/apps/univention-management-stack/values-umc-server.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-umc-server.yaml.gotmpl index 25bb5c5f..cc06808c 100644 --- a/helmfile/apps/univention-management-stack/values-umc-server.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-umc-server.yaml.gotmpl @@ -94,6 +94,7 @@ securityContext: runAsUser: 0 runAsGroup: 0 runAsNonRoot: false + seLinuxOptions: {{ .Values.seLinuxOptions.umsUmcServer }} umcServer: certPemFile: "/var/secrets/ssl/tls.crt" diff --git a/helmfile/apps/univention-management-stack/values-ums-keycloak-bootstrap.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-ums-keycloak-bootstrap.yaml.gotmpl index 5792f806..ae8abc61 100644 --- a/helmfile/apps/univention-management-stack/values-ums-keycloak-bootstrap.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-ums-keycloak-bootstrap.yaml.gotmpl @@ -66,6 +66,7 @@ containerSecurityContext: runAsUser: 1000 seccompProfile: type: "RuntimeDefault" + seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloakBootstrap }} podAnnotations: intents.otterize.com/service-name: "ums-keycloak-bootstrap" diff --git a/helmfile/apps/univention-management-stack/values-ums-keycloak-extensions.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-ums-keycloak-extensions.yaml.gotmpl index e99d3d8b..4a563952 100644 --- a/helmfile/apps/univention-management-stack/values-ums-keycloak-extensions.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-ums-keycloak-extensions.yaml.gotmpl @@ -44,6 +44,7 @@ handler: runAsUser: 1000 runAsGroup: 1000 runAsNonRoot: true + seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloakExtensionHandler }} resources: {{ .Values.resources.umsKeycloakExtensionHandler | toYaml | nindent 4 }} postgresql: @@ -88,6 +89,7 @@ proxy: runAsUser: 1000 runAsGroup: 1000 runAsNonRoot: true + seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloakExtensionProxy }} resources: {{ .Values.resources.umsKeycloakExtensionProxy | toYaml | nindent 4 }} ... diff --git a/helmfile/apps/univention-management-stack/values-ums-keycloak.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-ums-keycloak.yaml.gotmpl index 65499eb6..d0948bb0 100644 --- a/helmfile/apps/univention-management-stack/values-ums-keycloak.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-ums-keycloak.yaml.gotmpl @@ -44,6 +44,7 @@ containerSecurityContext: runAsUser: 1000 runAsGroup: 1000 runAsNonRoot: true + seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloak }} podSecurityContext: fsGroup: 1000 diff --git a/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl index 8e7f4171..26e127cd 100644 --- a/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl @@ -45,6 +45,7 @@ containerSecurityContext: - "ALL" seccompProfile: type: "RuntimeDefault" + seLinuxOptions: {{ .Values.seLinuxOptions.umsStackGateway }} service: type: "ClusterIP" diff --git a/helmfile/apps/xwiki/values.yaml.gotmpl b/helmfile/apps/xwiki/values.yaml.gotmpl index 3fd3df16..c8e63322 100644 --- a/helmfile/apps/xwiki/values.yaml.gotmpl +++ b/helmfile/apps/xwiki/values.yaml.gotmpl @@ -36,6 +36,7 @@ containerSecurityContext: seccompProfile: type: "RuntimeDefault" readOnlyRootFilesystem: false + seLinuxOptions: {{ .Values.seLinuxOptions.xwiki }} customConfigs: xwiki.cfg: diff --git a/helmfile/environments/default/selinux.yaml b/helmfile/environments/default/selinux.yaml new file mode 100644 index 00000000..085eb6f1 --- /dev/null +++ b/helmfile/environments/default/selinux.yaml @@ -0,0 +1,95 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +# +# Disclaimer: +# We assume that you are very aware of what you are doing when working wih SELinux settings and that you can easily +# break the affected components with these settings. +--- +seLinuxOptions: + clamavSimple: ~ + clamd: ~ + collabora: ~ + cryptpad: ~ + dovecot: ~ + element: ~ + freshclam: ~ + icap: ~ + intercom: ~ + # The Jibri Helm chart does not support setting the securityContext externally. + #jibri: ~ + jicofo: ~ + jitsi: ~ + jitsiKeycloakAdapter: ~ + jitsiPatchJVB: ~ + jvb: ~ + mariadb: ~ + matrixNeoBoardWidget: ~ + matrixNeoChoiceWidget: ~ + matrixNeoDateFixBot: ~ + matrixNeoDateFixWidget: ~ + matrixUserVerificationService: ~ + memcached: ~ + milter: ~ + minio: ~ + nextcloudApache2: ~ + nextcloudExporter: ~ + nextcloudManagement: ~ + nextcloudPHP: ~ + opendeskKeycloakBootstrap: ~ + openproject: ~ + openprojectBootstrap: ~ + openprojectInitDb: ~ + openxchangeBootstrap: ~ + openxchangeCoreGuidedtours: ~ + openxchangeCoreMW: ~ + openxchangeCoreUI: ~ + openxchangeCoreUIMiddleware: ~ + openxchangeCoreUserGuide: ~ + openxchangeDocumentConverter: ~ + openxchangeGotenberg: ~ + openxchangeGuardUI: ~ + openxchangeImageConverter: ~ + openxchangeNextcloudIntegrationUI: ~ + openxchangePublicSectorUI: ~ + oxConnector: ~ + postfix: ~ + postgresql: ~ + prosody: ~ + redis: ~ + synapse: ~ + synapseCreateUser: ~ + synapseGuestModule: ~ + synapseWeb: ~ + umsConfigHtpasswd: ~ + umsDataLoader: ~ + umsGuardianAuthorizationApi: ~ + umsGuardianManagementApi: ~ + umsGuardianManagementUi: ~ + umsKeycloak: ~ + umsKeycloakBootstrap: ~ + umsKeycloakExtensionHandler: ~ + umsKeycloakExtensionProxy: ~ + umsLdapNotifier: ~ + umsLdapServer: ~ + umsNotificationsApi: ~ + umsOpenPolicyAgent: ~ + umsPortalFrontend: ~ + umsPortalListener: ~ + umsPortalServer: ~ + umsProvisioningDispatcher: ~ + umsProvisioningEventsAndConsumerApi: ~ + umsProvisioningNats: ~ + umsProvisioningNatsBox: ~ + umsProvisioningNatsReloader: ~ + umsProvisioningUdmListener: ~ + umsSelfserviceInvitation: ~ + umsSelfserviceListener: ~ + umsStackGateway: ~ + umsStoreDav: ~ + umsUdmRestApi: ~ + umsUmcGateway: ~ + umsUmcServer: ~ + umsWaitForDependency: ~ + wellKnown: ~ + xwiki: ~ +...