From b5583caec10c24e3bfb312edcb2800e6a60a9b10 Mon Sep 17 00:00:00 2001 From: Dominik Kaminski Date: Sun, 10 Sep 2023 15:22:49 +0200 Subject: [PATCH] fix(collabora): Update Ingress annotations and set securityContext --- README.md | 39 ++++++----- helmfile/apps/collabora/values.gotmpl | 11 +-- helmfile/apps/collabora/values.yaml | 74 +++++++++++++++++--- helmfile/environments/default/resources.yaml | 7 ++ 4 files changed, 94 insertions(+), 37 deletions(-) diff --git a/README.md b/README.md index 497eee9c..e2152355 100644 --- a/README.md +++ b/README.md @@ -311,25 +311,26 @@ actual scalability of the components (see column `Scaling (verified)`). This list gives you an overview of default security settings and if they comply with security standards: -| Component | Process | = | allowPrivilegeEscalation (`false`) | capabilities (`drop: ALL`) | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup | -|------------|--------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:| -| ClamAV | clamd | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 | -| | freshclam | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 | -| | icap | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 | -| | milter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 | -| Jitsi | jibri | :x: | :white_check_mark: | :x: (`SYS_ADMIN`) | :white_check_mark: | :x: | :x: | - | - | - | -| | jicofo | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - | -| | jitsiKeycloakAdapter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1993 | 1993 | - | -| | jvb | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - | -| | prosody | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - | -| | web | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - | -| Keycloak | keycloak | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 1001 | 1001 | 1001 | -| | keycloakConfigCli | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 | -| | keycloakExtensionHandler | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - | -| | keycloakExtensionProxy | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - | -| MariaDB | mariadb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 | -| Postfix | postfix | :x: | :white_check_mark: | :x: (`DAC_OVERRIDE`, `FOWNER`, `SETUID`, `SETGID`, `NET_BIND_SERVICE`, `NET_ADMIN`, `NET_RAW`) | :white_check_mark: | :x: | :x: | - | - | 101 | -| PostgreSQL | postgresql | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 | +| Component | Process | = | allowPrivilegeEscalation (`false`) | capabilities (`drop: ALL`) | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup | +|------------|--------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:| +| ClamAV | clamd | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 | +| | freshclam | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 | +| | icap | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 | +| | milter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 | +| Collabora | collabora | :x: | :x: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) | :white_check_mark: | :x: | :white_check_mark: | 100 | 101 | 100 | +| Jitsi | jibri | :x: | :x: | :x: (`SYS_ADMIN`) | :white_check_mark: | :x: | :x: | - | - | - | +| | jicofo | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - | +| | jitsiKeycloakAdapter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1993 | 1993 | - | +| | jvb | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - | +| | prosody | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - | +| | web | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - | +| Keycloak | keycloak | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 1001 | 1001 | 1001 | +| | keycloakConfigCli | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 | +| | keycloakExtensionHandler | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - | +| | keycloakExtensionProxy | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - | +| MariaDB | mariadb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 | +| Postfix | postfix | :x: | :white_check_mark: | :x: (`DAC_OVERRIDE`, `FOWNER`, `SETUID`, `SETGID`, `NET_BIND_SERVICE`, `NET_ADMIN`, `NET_RAW`) | :white_check_mark: | :x: | :x: | - | - | 101 | +| PostgreSQL | postgresql | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 | # Component integration diff --git a/helmfile/apps/collabora/values.gotmpl b/helmfile/apps/collabora/values.gotmpl index 203f397f..12dfb5a4 100644 --- a/helmfile/apps/collabora/values.gotmpl +++ b/helmfile/apps/collabora/values.gotmpl @@ -33,14 +33,9 @@ collabora: aliasgroups: - host: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}:443" -{{- if not (eq .Values.cluster.container.engine "containerd") }} -# In case of issues with "Failed to exec command '/usr/bin/loolforkit' (EPERM: Operation not permitted)...", activate: -# Ref.: https://github.com/CollaboraOnline/online/issues/2800 -securityContext: - capabilities: - add: - - "MKNOD" -{{- end }} replicaCount: {{ .Values.replicas.collabora }} + +resources: + {{ .Values.resources.collabora | toYaml | nindent 2 }} ... diff --git a/helmfile/apps/collabora/values.yaml b/helmfile/apps/collabora/values.yaml index c6f0a7a5..b062ca19 100644 --- a/helmfile/apps/collabora/values.yaml +++ b/helmfile/apps/collabora/values.yaml @@ -14,20 +14,74 @@ collabora: ingress: annotations: - # nginx + # Ingress NGINX nginx.ingress.kubernetes.io/upstream-hash-by: "$arg_WOPISrc" + nginx.ingress.kubernetes.io/proxy-body-size: "0" + nginx.ingress.kubernetes.io/proxy-read-timeout: "600" + nginx.ingress.kubernetes.io/proxy-send-timeout: "600" + nginx.ingress.kubernetes.io/server-snippet: | + # block admin and metrics endpoint from outside by default + location /cool/getMetrics { deny all; return 403; } + location /cool/adminws/ { deny all; return 403; } + location /browser/dist/admin/admin.html { deny all; return 403; } + # NGINX + nginx.org/websocket-services: "collabora" + nginx.org/lb-method: "hash $arg_WOPISrc consistent" + nginx.org/proxy-read-timeout: "600" + nginx.org/proxy-send-timeout: "600" + nginx.org/client-max-body-size: "0" + nginx.org/server-snippets: | + # block admin and metrics endpoint from outside by default + location /cool/getMetrics { deny all; return 403; } + location /cool/adminws/ { deny all; return 403; } + location /browser/dist/admin/admin.html { deny all; return 403; } # HAProxy haproxy.org/timeout-tunnel: "3600s" haproxy.org/backend-config-snippet: | - mode http - balance leastconn - stick-table type string len 2048 size 1k store conn_cur - http-request set-var(txn.wopisrcconns) url_param(WOPISrc),table_conn_cur() - http-request track-sc1 url_param(WOPISrc) - stick match url_param(WOPISrc) if { var(txn.wopisrcconns) -m int gt 0 } - stick store-request url_param(WOPISrc) - nginx.org/websocket-services: "collabora" - nginx.org/lb-method: "hash $arg_WOPISrc consistent" + balance url_param WOPISrc check_post + hash-type consistent + # HAProxy - Community: https://haproxy-ingress.github.io/ + haproxy-ingress.github.io/timeout-tunnel: 3600s + haproxy-ingress.github.io/balance-algorithm: url_param WOPISrc check_post + haproxy-ingress.github.io/config-backend: | + hash-type consistent + # block admin urls from outside + acl admin_url path_beg /cool/getMetrics + acl admin_url path_beg /cool/adminws/ + acl admin_url path_beg /browser/dist/admin/admin.html + http-request deny if admin_url autoscaling: enabled: false + +serviceAccount: + create: true + +securityContext: + allowPrivilegeEscalation: true + privileged: false + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 100 + runAsGroup: 101 + seccompProfile: + type: "RuntimeDefault" + capabilities: + drop: + - "ALL" + add: + - "CHOWN" + - "DAC_OVERRIDE" + - "FOWNER" + - "FSETID" + - "KILL" + - "SETGID" + - "SETUID" + - "SETPCAP" + - "NET_BIND_SERVICE" + - "NET_RAW" + - "SYS_CHROOT" + - "MKNOD" + +podSecurityContext: + fsGroup: 100 ... diff --git a/helmfile/environments/default/resources.yaml b/helmfile/environments/default/resources.yaml index 17618543..35c2a397 100644 --- a/helmfile/environments/default/resources.yaml +++ b/helmfile/environments/default/resources.yaml @@ -9,6 +9,13 @@ resources: requests: cpu: 0.1 memory: "2Gi" + collabora: + limits: + cpu: 1 + memory: "500Mi" + requests: + cpu: 0.1 + memory: "16Mi" dovecot: limits: cpu: 0.5