sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-06 07:21:36 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix(docs): Add generated security-context.md

Browse Source
This commit is contained in:
Dominik Kaminski
2024-02-11 21:09:31 +01:00
parent 01599022f1
commit d9e07ff7bd
46 changed files with 479 additions and 109 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
.gitlab-ci.yml
View File

@@ -8,6 +8,7 @@ include:
- "ci/common/automr.yml"
- "ci/common/lint.yml"
- "ci/release-automation/semantic-release.yml"
- local: "/.gitlab/generate/generate-docs.yml"
- project: "${PROJECT_PATH_CUSTOM_ENVIRONMENT_CONFIG}"
file: "gitlab/environments.yaml"
rules:
@@ -612,7 +613,8 @@ release:
"CHANGELOG.md",
"charts/**/README.md",
"helmfile/environments/default/global.generated.yaml",
".kyverno/kyverno-test.yaml"
".kyverno/kyverno-test.yaml",
"docs"
],
"message": "chore(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"
}]
@@ -622,4 +624,5 @@ release:
- "semantic-release"
needs:
- "generate-release-assets"
- "generate-docs"
...

15
.gitlab/common/common.yml Normal file
View File

@@ -0,0 +1,15 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
variables:
OPENDESK_CI_CLI_IMAGE: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:2.4.2\
@sha256:7a866a34b82dddea8867862afaaccb1d1e385854ce344fc71be492800a5b16a6"
OPENDESK_LINT_IMAGE: "registry.opencode.de/bmi/opendesk/components/platform-development/images/ci-lint:1.0.3\
@sha256:096e649b985dd8e46e9dadff5f7e9c7a8772bf5a1b3df1bb2b4a887716c2ca85"
.common:
cache: {}
needs: []
tags:
- "docker"
...

11
.gitlab/generate/generate-common.yml Normal file
View File

@@ -0,0 +1,11 @@
# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
include:
- local: "/.gitlab/common/common.yml"
.generate-common:
extends: ".common"
stage: ".post"
tags: []
...

20
.gitlab/generate/generate-docs.yml Normal file
View File

@@ -0,0 +1,20 @@
# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
include:
- local: "/.gitlab/generate/generate-common.yml"
generate-docs:
cache:
- key: "generate-docs-${CI_COMMIT_REF_SLUG}"
paths:
- "${CI_PROJECT_DIR}/docs"
policy: "push"
extends: ".generate-common"
image: "${OPENDESK_CI_CLI_IMAGE}"
rules:
- if: "$JOB_RELEASE_ENABLED != 'false' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH"
when: "on_success"
script:
- "node /app/src/index.js generate-docs -d ${CI_PROJECT_DIR}"
...

12
.gitlab/lint/lint-common.yml
View File

@@ -1,17 +1,11 @@
# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
variables:
OPENDESK_CI_CLI_IMAGE: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:2.3.1\
@sha256:7bd1c03b1e443000d7016e37b7a085c400ee1873ad5a62c2e3181ea307b5133d"
OPENDESK_LINT_IMAGE: "registry.opencode.de/bmi/opendesk/components/platform-development/images/ci-lint:1.0.3\
@sha256:096e649b985dd8e46e9dadff5f7e9c7a8772bf5a1b3df1bb2b4a887716c2ca85"
include:
- local: "/.gitlab/common/common.yml"
.lint-common:
cache: {}
needs: []
extends: ".common"
stage: "lint"
tags:
- "docker"
...

227
docs/security-context.md Normal file
View File

@@ -0,0 +1,227 @@
<!--
SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
-->
<h1>Kubernetes Security Context</h1>
* [Container Security Context](#container-security-context)
* [allowPrivilegeEscalation](#allowprivilegeescalation)
* [capabilities](#capabilities)
* [privileged](#privileged)
* [runAsUser](#runasuser)
* [runAsGroup](#runasgroup)
* [seccompProfile](#seccompprofile)
* [readOnlyRootFilesystem](#readonlyrootfilesystem)
* [runAsNonRoot](#runasnonroot)
* [Status quo](#status-quo)
# Container Security Context
The containerSecurityContext is the most important security-related section because it has the highest precedence and restricts the container to its minimal privileges.
## allowPrivilegeEscalation
Privilege escalation (such as via set-user-ID or set-group-ID file mode) should not be allowed (Linux only) at any time.
```yaml
containerSecurityContext:
allowPrivilegeEscalation: false
```
## capabilities
Containers must drop ALL capabilities, and are only permitted to add back the `NET_BIND_SERVICE` capability (Linux only).
**Optimal:**
```yaml
containerSecurityContext:
capabilities:
drop:
- "ALL"
```
**Allowed:**
```yaml
containerSecurityContext:
capabilities:
drop:
- "ALL"
add:
- "NET_BIND_SERVICE"
```
## privileged
Privileged Pods disable most security mechanisms and must be disallowed.
```yaml
containerSecurityContext:
privileged: false
```
## runAsUser
Containers should set a user id >= 1000 and never use 0 (root) as user.
```yaml
containerSecurityContext:
runAsUser: 1000
```
## runAsGroup
Containers should set a group id >= 1000 and never use 0 (root) as user.
```yaml
containerSecurityContext:
runAsGroup: 1000
```
## seccompProfile
Seccomp profile must be explicitly set to one of the allowed values. An unconfined profile and the complete absence of the profile are prohibited.
```yaml
containerSecurityContext:
seccompProfile:
type: "RuntimeDefault"
```
or
```yaml
containerSecurityContext:
seccompProfile:
type: "Localhost"
```
## readOnlyRootFilesystem
Containers should have an immutable file systems, so that attackers could not modify application code or download malicious code.
```yaml
containerSecurityContext:
readOnlyRootFilesystem: true
```
## runAsNonRoot
Containers must be required to run as non-root users.
```yaml
containerSecurityContext:
runAsNonRoot: true
```
# Status quo
openDesk aims to achieve that all security relevant settings are explicitly templated and comply with security recommendations.
The rendered manifests are also validated against Kyverno [policies](/.kyverno/policies) in CI to ensure that the provided values inside openDesk are also properly templated by the given Helm charts.
This list gives you an overview of templated security settings and if they comply with security standards:
- **yes**: Value is set to `true`
- **no**: Value is set to `false`
- **n/a**: No explicitly templated in openDesk and default is used.
| process | status | allowPrivilegeEscalation | privileged | readOnlyRootFilesystem | runAsNonRoot | runAsUser | runAsGroup | seccompProfile | capabilities |
| ------- | ------ | ------------------------ | ---------- | ---------------------- | ------------ | --------- | ---------- | -------------- | ------------ |
| **collabora**/collabora-online | :x: | yes | no | no | yes | 100 | 101 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT","MKNOD"] |
| **cryptpad**/cryptpad | :x: | no | no | no | yes | 4001 | 4001 | yes | yes |
| **element**/matrix-neoboard-widget | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
| **element**/matrix-neochoice-widget | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
| **element**/matrix-neodatefix-bot | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
| **element**/matrix-neodatefix-bot-bootstrap | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
| **element**/matrix-neodatefix-widget | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
| **element**/opendesk-element | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
| **element**/opendesk-matrix-user-verification-service | :x: | no | no | no | no | 0 | 0 | yes | yes |
| **element**/opendesk-matrix-user-verification-service-bootstrap | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
| **element**/opendesk-synapse | :white_check_mark: | no | no | yes | yes | 10991 | 10991 | yes | yes |
| **element**/opendesk-synapse-web | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
| **element**/opendesk-well-known | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
| **intercom-service**/intercom-service | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
| **jitsi**/jitsi | :white_check_mark: | no | no | yes | yes | 1993 | 1993 | yes | yes |
| **jitsi**/jitsi/jitsi/jibri | :x: | n/a | n/a | n/a | n/a | n/a | n/a | n/a | no ["SYS_ADMIN"] |
| **jitsi**/jitsi/jitsi/jicofo | :x: | no | no | no | no | 0 | 0 | yes | no |
| **jitsi**/jitsi/jitsi/jvb | :x: | no | no | no | no | 0 | 0 | yes | no |
| **jitsi**/jitsi/jitsi/prosody | :x: | no | no | no | no | 0 | 0 | yes | no |
| **jitsi**/jitsi/jitsi/web | :x: | no | no | no | no | 0 | 0 | yes | no |
| **jitsi**/jitsi/patchJVB | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
| **nextcloud**/opendesk-nextcloud-management | :x: | no | no | no | yes | 65532 | 65532 | yes | yes |
| **nextcloud**/opendesk-nextcloud/apache2 | :white_check_mark: | no | no | yes | yes | 65532 | 65532 | yes | yes |
| **nextcloud**/opendesk-nextcloud/exporter | :white_check_mark: | no | no | yes | yes | 65532 | 65532 | yes | yes |
| **nextcloud**/opendesk-nextcloud/php | :white_check_mark: | no | no | yes | yes | 65532 | 65532 | yes | yes |
| **open-xchange**/open-xchange/appsuite/core-documentconverter | :x: | no | no | no | yes | 987 | 1000 | yes | yes |
| **open-xchange**/open-xchange/appsuite/core-guidedtours | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
| **open-xchange**/open-xchange/appsuite/core-imageconverter | :x: | no | no | no | yes | 987 | 1000 | yes | yes |
| **open-xchange**/open-xchange/appsuite/core-mw/gotenberg | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
| **open-xchange**/open-xchange/appsuite/core-ui | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
| **open-xchange**/open-xchange/appsuite/core-ui-middleware | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
| **open-xchange**/open-xchange/appsuite/core-user-guide | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
| **open-xchange**/open-xchange/appsuite/guard-ui | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
| **open-xchange**/open-xchange/nextcloud-integration-ui | :x: | no | no | no | yes | 1000 | 1000 | yes | yes |
| **open-xchange**/open-xchange/public-sector-ui | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
| **openproject**/openproject | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
| **openproject-bootstrap**/opendesk-openproject-bootstrap | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
| **provisioning**/ox-connector | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
| **services**/clamav | :x: | no | no | yes | no | 0 | 0 | yes | no |
| **services**/clamav-simple | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
| **services**/clamav/clamd | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
| **services**/clamav/freshclam | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
| **services**/clamav/icap | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
| **services**/clamav/milter | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
| **services**/mariadb | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
| **services**/memcached | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
| **services**/minio | :x: | no | no | no | yes | 1000 | 0 | yes | yes |
| **services**/postfix | :x: | yes | yes | no | no | 0 | 0 | yes | no |
| **services**/postgresql | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
| **services**/redis/master | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
| **univention-management-stack**/opendesk-keycloak-bootstrap | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
| **univention-management-stack**/ums-guardian-authorization-api | :x: | no | no | no | yes | 1000 | 1000 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
| **univention-management-stack**/ums-guardian-management-api | :x: | no | no | no | yes | 1000 | 1000 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
| **univention-management-stack**/ums-guardian-management-ui | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
| **univention-management-stack**/ums-keycloak | :x: | no | no | no | yes | 1000 | 1000 | yes | yes |
| **univention-management-stack**/ums-keycloak-bootstrap | :x: | no | no | no | yes | 1000 | 1000 | yes | yes |
| **univention-management-stack**/ums-keycloak-extensions/handler | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
| **univention-management-stack**/ums-keycloak-extensions/proxy | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
| **univention-management-stack**/ums-ldap-notifier | :x: | no | no | no | no | 0 | 0 | yes | yes |
| **univention-management-stack**/ums-ldap-server | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
| **univention-management-stack**/ums-notifications-api | :x: | no | no | no | no | 1000 | 1000 | yes | yes |
| **univention-management-stack**/ums-open-policy-agent | :x: | no | no | no | yes | 1000 | 1000 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
| **univention-management-stack**/ums-portal-frontend | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
| **univention-management-stack**/ums-portal-listener | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
| **univention-management-stack**/ums-portal-server | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
| **univention-management-stack**/ums-provisioning/dispatcher | :x: | no | no | no | yes | 1000 | 1000 | yes | yes |
| **univention-management-stack**/ums-provisioning/events-and-consumer-api | :x: | no | no | no | yes | 1000 | 1000 | yes | yes |
| **univention-management-stack**/ums-provisioning/udm-listener | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
| **univention-management-stack**/ums-selfservice-listener | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
| **univention-management-stack**/ums-stack-data-swp | :x: | no | no | no | no | 0 | 0 | yes | yes |
| **univention-management-stack**/ums-stack-data-ums | :x: | no | no | no | no | 0 | 0 | yes | yes |
| **univention-management-stack**/ums-stack-gateway | :x: | no | no | no | yes | 1001 | 1001 | yes | yes |
| **univention-management-stack**/ums-store-dav | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
| **univention-management-stack**/ums-udm-rest-api | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
| **univention-management-stack**/ums-umc-gateway | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
| **univention-management-stack**/ums-umc-server | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
| **xwiki**/xwiki | :x: | no | no | no | yes | 100 | 101 | yes | yes |
This file is auto-generated by [openDesk CI CLI](https://gitlab.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli)

73
docs/security.md
View File

@@ -29,78 +29,7 @@ All charts except the ones mentioned below are verifiable:
This list gives you an overview of default security settings and if they comply with security standards:
| Component | Process | = | allowPrivilegeEscalation (`false`) | capabilities (`drop: ALL`) | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup |
|-----------------------------|-------------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
| ClamAV | clamd | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
| | freshclam | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
| | icap | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
| | milter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
| Collabora | collabora | :x: | :x: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) | :white_check_mark: | :x: | :white_check_mark: | 100 | 101 | 100 |
| CryptPad | cryptpad | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 4001 | 4001 | 4001 |
| Dovecot | dovecot | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `KILL`, `NET_BIND_SERVICE`, `SETGID`, `SETUID`, `SYS_CHROOT`) | :white_check_mark: | :white_check_mark: | :x: | - | - | 1000 |
| Element | element | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
| | synapse | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 10991 | - | 10991 |
| | synapseWeb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
| | wellKnown | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
| IntercomService | intercom-service | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | 1000 |
| Jitsi | jibri | :x: | :x: | :x: (`SYS_ADMIN`) | :white_check_mark: | :x: | :x: | - | - | - |
| | jicofo | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
| | jitsiKeycloakAdapter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1993 | 1993 | - |
| | jvb | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
| | prosody | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
| | web | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
| MariaDB | mariadb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
| Memcached | memcached | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | - | 1001 |
| Minio | minio | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | 1000 |
| Nextcloud | opendesk-nextcloud-apache2 | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 65532 | 65532 | 65532 |
| | opendesk-nextcloud-cron | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 65532 | 65532 | 65532 |
| | opendesk-nextcloud-exporter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 65532 | 65532 | 65532 |
| | opendesk-nextcloud-management | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 65532 | 65532 | 65532 |
| | opendesk-nextcloud-php | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 65532 | 65532 | 65532 |
| Open-Xchange | core-documentconverter | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 987 | 1000 | - |
| | core-guidedtours | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
| | core-imageconverter | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 987 | 1000 | - |
| | core-mw-default | :x: | :x: | :x: | :x: | :x: | :x: | - | - | - |
| | core-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
| | core-ui-middleware | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
| | core-ui-middleware-updater | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
| | core-user-guide | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
| | gotenberg | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
| | guard-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
| | nextlcoud-integration-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
| | public-sector-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
| OpenProject | openproject | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | 1000 |
| | opendeskOpenprojectBootstrap | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | 1000 |
| Postfix | postfix | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | - | - | 101 |
| PostgreSQL | postgresql | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
| Redis | redis | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 0 | 1001 |
| Univention Management Stack | guardian-authorization-api | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - |
| | guardian-management-api | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - |
| | guardian-management-ui | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - |
| | keycloak | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 1000 | 1000 | 1000 |
| | keycloak-bootstrap | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 1000 | 1000 | 1000 |
| | keycloak-extension-handler | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
| | keycloak-extension-proxy | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
| | ldap-notifier | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
| | ldap-server | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - |
| | notifications-api | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
| | opendesk-keycloak-bootstrap | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | 1000 |
| | open-policy-agent | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - |
| | portal-frontend | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - |
| | portal-listener | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - |
| | portal-server | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - |
| | dispatcher | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
| | events-and-consumer-api | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
| | udm-listener | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - |
| | selfservice-listener | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - |
| | stack-gateway | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
| | store-dav | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - |
| | udm-rest-api | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - |
| | umc-gateway | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - |
| | umc-server | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - |
| XWiki | xwiki | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 100 | 101 | 101 |
| | xwiki initContainers | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | - | - | 101 |
⟶ Visit our generated detailed [Security Context](./security-context.md) overview.
# NetworkPolicies

3
helmfile/apps/cryptpad/values.yaml.gotmpl
View File

@@ -63,9 +63,10 @@ securityContext:
capabilities:
drop:
- "ALL"
privileged: false
seccompProfile:
type: "RuntimeDefault"
# readOnlyRootFilesystem: true
readOnlyRootFilesystem: false
runAsNonRoot: true
runAsUser: 4001
runAsGroup: 4001

9
helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl
View File

@@ -8,11 +8,10 @@ containerSecurityContext:
- "ALL"
enabled: true
privileged: false
# TODO: the service can't run with read only filesystem or as non-root
# readOnlyRootFilesystem: true
# runAsGroup: 101
# runAsNonRoot: true
# runAsUser: 101
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
seccompProfile:
type: "RuntimeDefault"

1
helmfile/apps/element/values-synapse.yaml.gotmpl
View File

@@ -76,6 +76,7 @@ containerSecurityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 10991
runAsGroup: 10991
seccompProfile:
type: "RuntimeDefault"

1
helmfile/apps/intercom-service/values.yaml.gotmpl
View File

@@ -7,6 +7,7 @@ containerSecurityContext:
drop:
- "ALL"
enabled: true
privileged: false
runAsUser: 1000
runAsGroup: 1000
seccompProfile:

45
helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
View File

@@ -14,6 +14,7 @@ containerSecurityContext:
allowPrivilegeEscalation: false
enabled: true
readOnlyRootFilesystem: true
privileged: false
capabilities:
drop:
- "ALL"
@@ -63,6 +64,14 @@ jitsi:
resources:
{{ .Values.resources.jitsi | toYaml | nindent 6 }}
securityContext:
allowPrivilegeEscalation: false
capabilities: {}
enabled: true
privileged: false
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
seccompProfile:
type: "RuntimeDefault"
prosody:
@@ -102,6 +111,14 @@ jitsi:
size: {{ .Values.persistence.size.prosody | quote }}
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
securityContext:
allowPrivilegeEscalation: false
capabilities: {}
enabled: true
privileged: false
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
seccompProfile:
type: "RuntimeDefault"
jicofo:
@@ -115,6 +132,14 @@ jitsi:
resources:
{{ .Values.resources.jicofo | toYaml | nindent 6 }}
securityContext:
allowPrivilegeEscalation: false
capabilities: {}
enabled: true
privileged: false
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
seccompProfile:
type: "RuntimeDefault"
jvb:
@@ -129,6 +154,14 @@ jitsi:
service:
type: {{ .Values.cluster.service.type | quote }}
securityContext:
allowPrivilegeEscalation: false
capabilities: {}
enabled: true
privileged: false
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
seccompProfile:
type: "RuntimeDefault"
jibri:
@@ -143,8 +176,9 @@ jitsi:
resources:
{{ .Values.resources.jibri | toYaml | nindent 6 }}
securityContext:
seccompProfile:
type: "RuntimeDefault"
# Chart does not allow to template more
capabilities:
add: ["SYS_ADMIN"]
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
@@ -156,8 +190,15 @@ patchJVB:
loadbalancerStatusField: {{ .Values.cluster.networking.loadBalancerStatusField | quote }}
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 1001
runAsNonRoot: true
seccompProfile:
type: "RuntimeDefault"
image:

1
helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
View File

@@ -80,6 +80,7 @@ containerSecurityContext:
drop:
- "ALL"
enabled: true
privileged: false
runAsUser: 65532
runAsGroup: 65532
seccompProfile:

3
helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
View File

@@ -18,6 +18,7 @@ exporter:
drop:
- "ALL"
enabled: true
privileged: false
runAsUser: 65532
runAsGroup: 65532
seccompProfile:
@@ -69,6 +70,7 @@ php:
drop:
- "ALL"
enabled: true
privileged: false
runAsUser: 65532
runAsGroup: 65532
seccompProfile:
@@ -107,6 +109,7 @@ apache2:
drop:
- "ALL"
enabled: true
privileged: false
runAsUser: 65532
runAsGroup: 65532
seccompProfile:

35
helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
View File

@@ -32,10 +32,12 @@ nextcloud-integration-ui:
capabilities:
drop:
- "ALL"
readOnlyRootFilesystem: true
privileged: false
readOnlyRootFilesystem: false
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
privileged: false
seccompProfile:
type: "RuntimeDefault"
@@ -56,10 +58,12 @@ public-sector-ui:
capabilities:
drop:
- "ALL"
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
privileged: false
seccompProfile:
type: "RuntimeDefault"
@@ -121,6 +125,8 @@ appsuite:
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1001
runAsGroup: 1001
privileged: false
seccompProfile:
type: "RuntimeDefault"
hooks:
@@ -344,6 +350,7 @@ appsuite:
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
privileged: false
seccompProfile:
type: "RuntimeDefault"
@@ -384,6 +391,7 @@ appsuite:
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
privileged: false
seccompProfile:
type: "RuntimeDefault"
@@ -400,18 +408,17 @@ appsuite:
registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeDocumentConverter.registry | quote }}
repository: {{ .Values.images.openxchangeDocumentConverter.repository | quote }}
tag: {{ .Values.images.openxchangeDocumentConverter.tag | quote }}
podSecurityContext:
resources:
{{- .Values.resources.openxchangeCoreDocumentConverter | toYaml | nindent 6 }}
securityContext:
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 987
seccompProfile:
type: "RuntimeDefault"
resources:
{{- .Values.resources.openxchangeCoreDocumentConverter | toYaml | nindent 6 }}
securityContext:
# missing:
# readOnlyRootFilesystem: true
readOnlyRootFilesystem: false
allowPrivilegeEscalation: false
privileged: false
capabilities:
drop:
- "ALL"
@@ -455,6 +462,7 @@ appsuite:
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
privileged: false
seccompProfile:
type: "RuntimeDefault"
@@ -470,18 +478,17 @@ appsuite:
endpoint: "."
accessKey: "."
secretKey: "."
podSecurityContext:
resources:
{{- .Values.resources.openxchangeCoreImageConverter | toYaml | nindent 6 }}
securityContext:
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 987
seccompProfile:
type: "RuntimeDefault"
resources:
{{- .Values.resources.openxchangeCoreImageConverter | toYaml | nindent 6 }}
securityContext:
# missing:
# readOnlyRootFilesystem: true
readOnlyRootFilesystem: false
allowPrivilegeEscalation: false
privileged: false
capabilities:
drop:
- "ALL"
@@ -509,6 +516,7 @@ appsuite:
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
privileged: false
seccompProfile:
type: "RuntimeDefault"
@@ -537,6 +545,7 @@ appsuite:
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
privileged: false
seccompProfile:
type: "RuntimeDefault"
...

1
helmfile/apps/openproject/values.yaml.gotmpl
View File

@@ -9,6 +9,7 @@ global:
containerSecurityContext:
enabled: true
privileged: false
runAsUser: 1000
runAsGroup: 1000
allowPrivilegeEscalation: false

4
helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl
View File

@@ -79,6 +79,10 @@ securityContext:
privileged: false
seccompProfile:
type: "RuntimeDefault"
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
readOnlyRootFilesystem: false
serviceAccount:
create: true

12
helmfile/apps/services/values-clamav-distributed.yaml.gotmpl
View File

@@ -8,6 +8,7 @@ clamd:
drop:
- "ALL"
enabled: true
privileged: false
runAsUser: 100
runAsGroup: 101
seccompProfile:
@@ -31,6 +32,14 @@ containerSecurityContext:
allowPrivilegeEscalation: false
enabled: true
readOnlyRootFilesystem: true
runAsUser: 0
runAsGroup: 0
seccompProfile:
type: "RuntimeDefault"
runAsNonRoot: false
capabilities:
drop: []
privileged: false
freshclam:
containerSecurityContext:
@@ -39,6 +48,7 @@ freshclam:
drop:
- "ALL"
enabled: true
privileged: false
runAsUser: 100
runAsGroup: 101
seccompProfile:
@@ -71,6 +81,7 @@ icap:
enabled: true
runAsUser: 100
runAsGroup: 101
privileged: false
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
@@ -97,6 +108,7 @@ milter:
enabled: true
runAsUser: 100
runAsGroup: 101
privileged: false
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true

3
helmfile/apps/services/values-clamav-simple.yaml.gotmpl
View File

@@ -7,10 +7,13 @@ containerSecurityContext:
drop:
- "ALL"
enabled: true
privileged: false
runAsUser: 100
runAsGroup: 101
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
global:
imagePullSecrets:

2
helmfile/apps/services/values-memcached.yaml.gotmpl
View File

@@ -7,7 +7,9 @@ containerSecurityContext:
drop:
- "ALL"
enabled: true
privileged: false
runAsUser: 1001
runAsGroup: 1001
runAsNonRoot: true
seccompProfile:
type: "RuntimeDefault"

2
helmfile/apps/services/values-minio.yaml.gotmpl
View File

@@ -24,7 +24,9 @@ containerSecurityContext:
- "ALL"
privileged: false
runAsUser: 1000
runAsGroup: 0
runAsNonRoot: true
readOnlyRootFilesystem: false
seccompProfile:
type: "RuntimeDefault"

3
helmfile/apps/services/values-postfix.yaml.gotmpl
View File

@@ -14,6 +14,9 @@ containerSecurityContext:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsNonRoot: false
runAsUser: 0
runAsGroup: 0
privileged: true
global:
imagePullSecrets:

1
helmfile/apps/services/values-redis.yaml.gotmpl
View File

@@ -19,6 +19,7 @@ image:
master:
containerSecurityContext:
privileged: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 1001

4
helmfile/apps/univention-management-stack/values-guardian-authorization-api.yaml.gotmpl
View File

@@ -51,5 +51,9 @@ securityContext:
privileged: false
seccompProfile:
type: "RuntimeDefault"
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
readOnlyRootFilesystem: false
...

4
helmfile/apps/univention-management-stack/values-guardian-management-api.yaml.gotmpl
View File

@@ -69,5 +69,9 @@ securityContext:
privileged: false
seccompProfile:
type: "RuntimeDefault"
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
readOnlyRootFilesystem: false
...

4
helmfile/apps/univention-management-stack/values-guardian-management-ui.yaml.gotmpl
View File

@@ -42,5 +42,9 @@ securityContext:
privileged: false
seccompProfile:
type: "RuntimeDefault"
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
readOnlyRootFilesystem: false
...

5
helmfile/apps/univention-management-stack/values-ldap-notifier.yaml.gotmpl
View File

@@ -22,6 +22,11 @@ securityContext:
privileged: false
seccompProfile:
type: "RuntimeDefault"
privileged: false
readOnlyRootFilesystem: false
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
volumes:
claims:

4
helmfile/apps/univention-management-stack/values-ldap-server.yaml.gotmpl
View File

@@ -72,6 +72,10 @@ securityContext:
privileged: false
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
service:
type: "ClusterIP"

4
helmfile/apps/univention-management-stack/values-notifications-api.yaml.gotmpl
View File

@@ -40,5 +40,9 @@ securityContext:
privileged: false
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: false
...

4
helmfile/apps/univention-management-stack/values-open-policy-agent.yaml.gotmpl
View File

@@ -42,5 +42,9 @@ securityContext:
privileged: false
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
...

4
helmfile/apps/univention-management-stack/values-portal-frontend.yaml.gotmpl
View File

@@ -106,5 +106,9 @@ securityContext:
privileged: false
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
...

4
helmfile/apps/univention-management-stack/values-portal-listener.yaml.gotmpl
View File

@@ -71,5 +71,9 @@ securityContext:
privileged: false
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
...

4
helmfile/apps/univention-management-stack/values-portal-server.yaml.gotmpl
View File

@@ -46,5 +46,9 @@ securityContext:
privileged: false
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
...

12
helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl
View File

@@ -24,6 +24,10 @@ dispatcher:
privileged: false
seccompProfile:
type: "RuntimeDefault"
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
readOnlyRootFilesystem: false
events-and-consumer-api:
image:
@@ -54,6 +58,10 @@ events-and-consumer-api:
privileged: false
seccompProfile:
type: "RuntimeDefault"
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
readOnlyRootFilesystem: false
udm-listener:
image:
@@ -92,6 +100,10 @@ udm-listener:
privileged: false
seccompProfile:
type: "RuntimeDefault"
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
readOnlyRootFilesystem: false
nats:
global:

4
helmfile/apps/univention-management-stack/values-selfservice-listener.yaml.gotmpl
View File

@@ -69,5 +69,9 @@ securityContext:
privileged: false
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
...

4
helmfile/apps/univention-management-stack/values-stack-data-swp.yaml.gotmpl
View File

@@ -25,6 +25,10 @@ securityContext:
privileged: false
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
stackDataContext:
ldapBase: "dc=swp-ldap,dc=internal"

4
helmfile/apps/univention-management-stack/values-stack-data-ums.yaml.gotmpl
View File

@@ -25,6 +25,10 @@ securityContext:
privileged: false
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
stackDataContext:
idpSamlMetadataUrlInternal: null

4
helmfile/apps/univention-management-stack/values-store-dav.yaml.gotmpl
View File

@@ -49,6 +49,10 @@ securityContext:
privileged: false
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
storeDav:
auth:

4
helmfile/apps/univention-management-stack/values-udm-rest-api.yaml.gotmpl
View File

@@ -47,6 +47,10 @@ securityContext:
privileged: false
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
udmRestApi:
# TODO: Stub value currently

4
helmfile/apps/univention-management-stack/values-umc-gateway.yaml.gotmpl
View File

@@ -54,5 +54,9 @@ securityContext:
privileged: false
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
...

4
helmfile/apps/univention-management-stack/values-umc-server.yaml.gotmpl
View File

@@ -90,6 +90,10 @@ securityContext:
privileged: false
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
umcServer:
certPemFile: "/var/secrets/ssl/tls.crt"

1
helmfile/apps/univention-management-stack/values-ums-keycloak-bootstrap.yaml.gotmpl
View File

@@ -60,6 +60,7 @@ containerSecurityContext:
drop:
- "ALL"
readOnlyRootFilesystem: false
privileged: false
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000

2
helmfile/apps/univention-management-stack/values-ums-keycloak-extensions.yaml.gotmpl
View File

@@ -40,6 +40,7 @@ handler:
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
privileged: false
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
@@ -82,6 +83,7 @@ proxy:
- "ALL"
seccompProfile:
type: "RuntimeDefault"
privileged: false
readOnlyRootFilesystem: true
runAsUser: 1000
runAsGroup: 1000

1
helmfile/apps/univention-management-stack/values-ums-keycloak.yaml.gotmpl
View File

@@ -39,6 +39,7 @@ containerSecurityContext:
- "ALL"
seccompProfile:
type: "RuntimeDefault"
privileged: false
readOnlyRootFilesystem: false
runAsUser: 1000
runAsGroup: 1000

1
helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl
View File

@@ -35,6 +35,7 @@ podSecurityContext:
containerSecurityContext:
enabled: true
runAsUser: 1001
runAsGroup: 0
runAsNonRoot: true
privileged: false
readOnlyRootFilesystem: false

13
helmfile/apps/xwiki/values.yaml.gotmpl
View File

@@ -18,9 +18,15 @@ externalDB:
customKeyRef:
enabled: false
securityContext:
enabled: true
fsGroup: 101
containerSecurityContext:
allowPrivilegeEscalation: false
enabled: true
privileged: false
runAsUser: 100
runAsGroup: 101
runAsNonRoot: true
@@ -29,6 +35,7 @@ containerSecurityContext:
- "ALL"
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
customConfigs:
xwiki.cfg:
@@ -158,12 +165,6 @@ replicaCount: {{ .Values.replicas.xwiki }}
resources:
{{ .Values.resources.xwiki | toYaml | nindent 2 }}
securityContext:
enabled: true
fsGroup: 101
seccompProfile:
type: "RuntimeDefault"
service:
externalPort: 80
enabled: true