diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index a2008a27..12365da5 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -8,6 +8,7 @@ include: - "ci/common/automr.yml" - "ci/common/lint.yml" - "ci/release-automation/semantic-release.yml" + - local: "/.gitlab/generate/generate-docs.yml" - project: "${PROJECT_PATH_CUSTOM_ENVIRONMENT_CONFIG}" file: "gitlab/environments.yaml" rules: @@ -612,7 +613,8 @@ release: "CHANGELOG.md", "charts/**/README.md", "helmfile/environments/default/global.generated.yaml", - ".kyverno/kyverno-test.yaml" + ".kyverno/kyverno-test.yaml", + "docs" ], "message": "chore(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}" }] @@ -622,4 +624,5 @@ release: - "semantic-release" needs: - "generate-release-assets" + - "generate-docs" ... diff --git a/.gitlab/common/common.yml b/.gitlab/common/common.yml new file mode 100644 index 00000000..b7b2c284 --- /dev/null +++ b/.gitlab/common/common.yml @@ -0,0 +1,15 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +variables: + OPENDESK_CI_CLI_IMAGE: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:2.4.2\ + @sha256:7a866a34b82dddea8867862afaaccb1d1e385854ce344fc71be492800a5b16a6" + OPENDESK_LINT_IMAGE: "registry.opencode.de/bmi/opendesk/components/platform-development/images/ci-lint:1.0.3\ + @sha256:096e649b985dd8e46e9dadff5f7e9c7a8772bf5a1b3df1bb2b4a887716c2ca85" + +.common: + cache: {} + needs: [] + tags: + - "docker" +... diff --git a/.gitlab/generate/generate-common.yml b/.gitlab/generate/generate-common.yml new file mode 100644 index 00000000..a708929d --- /dev/null +++ b/.gitlab/generate/generate-common.yml @@ -0,0 +1,11 @@ +# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +include: + - local: "/.gitlab/common/common.yml" + +.generate-common: + extends: ".common" + stage: ".post" + tags: [] +... diff --git a/.gitlab/generate/generate-docs.yml b/.gitlab/generate/generate-docs.yml new file mode 100644 index 00000000..4ae792e3 --- /dev/null +++ b/.gitlab/generate/generate-docs.yml @@ -0,0 +1,20 @@ +# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +include: + - local: "/.gitlab/generate/generate-common.yml" + +generate-docs: + cache: + - key: "generate-docs-${CI_COMMIT_REF_SLUG}" + paths: + - "${CI_PROJECT_DIR}/docs" + policy: "push" + extends: ".generate-common" + image: "${OPENDESK_CI_CLI_IMAGE}" + rules: + - if: "$JOB_RELEASE_ENABLED != 'false' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH" + when: "on_success" + script: + - "node /app/src/index.js generate-docs -d ${CI_PROJECT_DIR}" +... diff --git a/.gitlab/lint/lint-common.yml b/.gitlab/lint/lint-common.yml index f956a76b..d1185789 100644 --- a/.gitlab/lint/lint-common.yml +++ b/.gitlab/lint/lint-common.yml @@ -1,17 +1,11 @@ # SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" # SPDX-License-Identifier: Apache-2.0 --- -variables: - OPENDESK_CI_CLI_IMAGE: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:2.3.1\ - @sha256:7bd1c03b1e443000d7016e37b7a085c400ee1873ad5a62c2e3181ea307b5133d" - OPENDESK_LINT_IMAGE: "registry.opencode.de/bmi/opendesk/components/platform-development/images/ci-lint:1.0.3\ - @sha256:096e649b985dd8e46e9dadff5f7e9c7a8772bf5a1b3df1bb2b4a887716c2ca85" +include: + - local: "/.gitlab/common/common.yml" .lint-common: - cache: {} - needs: [] + extends: ".common" stage: "lint" - tags: - - "docker" ... diff --git a/docs/security-context.md b/docs/security-context.md new file mode 100644 index 00000000..b458c237 --- /dev/null +++ b/docs/security-context.md @@ -0,0 +1,227 @@ + +

Kubernetes Security Context

+ +* [Container Security Context](#container-security-context) + * [allowPrivilegeEscalation](#allowprivilegeescalation) + * [capabilities](#capabilities) + * [privileged](#privileged) + * [runAsUser](#runasuser) + * [runAsGroup](#runasgroup) + * [seccompProfile](#seccompprofile) + * [readOnlyRootFilesystem](#readonlyrootfilesystem) + * [runAsNonRoot](#runasnonroot) +* [Status quo](#status-quo) + +# Container Security Context + + +The containerSecurityContext is the most important security-related section because it has the highest precedence and restricts the container to its minimal privileges. + +## allowPrivilegeEscalation + + +Privilege escalation (such as via set-user-ID or set-group-ID file mode) should not be allowed (Linux only) at any time. + +```yaml +containerSecurityContext: + allowPrivilegeEscalation: false +``` + +## capabilities + + +Containers must drop ALL capabilities, and are only permitted to add back the `NET_BIND_SERVICE` capability (Linux only). + + +**Optimal:** + +```yaml +containerSecurityContext: + capabilities: + drop: + - "ALL" +``` + + +**Allowed:** + +```yaml +containerSecurityContext: + capabilities: + drop: + - "ALL" + add: + - "NET_BIND_SERVICE" +``` + +## privileged + + +Privileged Pods disable most security mechanisms and must be disallowed. + +```yaml +containerSecurityContext: + privileged: false +``` + +## runAsUser + + +Containers should set a user id >= 1000 and never use 0 (root) as user. + +```yaml +containerSecurityContext: + runAsUser: 1000 +``` + +## runAsGroup + + +Containers should set a group id >= 1000 and never use 0 (root) as user. + +```yaml +containerSecurityContext: + runAsGroup: 1000 +``` + +## seccompProfile + + +Seccomp profile must be explicitly set to one of the allowed values. An unconfined profile and the complete absence of the profile are prohibited. + +```yaml +containerSecurityContext: + seccompProfile: + type: "RuntimeDefault" +``` + + +or + +```yaml +containerSecurityContext: + seccompProfile: + type: "Localhost" +``` + +## readOnlyRootFilesystem + + +Containers should have an immutable file systems, so that attackers could not modify application code or download malicious code. + +```yaml +containerSecurityContext: + readOnlyRootFilesystem: true +``` + +## runAsNonRoot + + +Containers must be required to run as non-root users. + +```yaml +containerSecurityContext: + runAsNonRoot: true +``` + +# Status quo + + +openDesk aims to achieve that all security relevant settings are explicitly templated and comply with security recommendations. + + +The rendered manifests are also validated against Kyverno [policies](/.kyverno/policies) in CI to ensure that the provided values inside openDesk are also properly templated by the given Helm charts. + + +This list gives you an overview of templated security settings and if they comply with security standards: + + + - **yes**: Value is set to `true` + - **no**: Value is set to `false` + - **n/a**: No explicitly templated in openDesk and default is used. + +| process | status | allowPrivilegeEscalation | privileged | readOnlyRootFilesystem | runAsNonRoot | runAsUser | runAsGroup | seccompProfile | capabilities | +| ------- | ------ | ------------------------ | ---------- | ---------------------- | ------------ | --------- | ---------- | -------------- | ------------ | +| **collabora**/collabora-online | :x: | yes | no | no | yes | 100 | 101 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT","MKNOD"] | +| **cryptpad**/cryptpad | :x: | no | no | no | yes | 4001 | 4001 | yes | yes | +| **element**/matrix-neoboard-widget | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes | +| **element**/matrix-neochoice-widget | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes | +| **element**/matrix-neodatefix-bot | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes | +| **element**/matrix-neodatefix-bot-bootstrap | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes | +| **element**/matrix-neodatefix-widget | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes | +| **element**/opendesk-element | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes | +| **element**/opendesk-matrix-user-verification-service | :x: | no | no | no | no | 0 | 0 | yes | yes | +| **element**/opendesk-matrix-user-verification-service-bootstrap | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes | +| **element**/opendesk-synapse | :white_check_mark: | no | no | yes | yes | 10991 | 10991 | yes | yes | +| **element**/opendesk-synapse-web | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes | +| **element**/opendesk-well-known | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes | +| **intercom-service**/intercom-service | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes | +| **jitsi**/jitsi | :white_check_mark: | no | no | yes | yes | 1993 | 1993 | yes | yes | +| **jitsi**/jitsi/jitsi/jibri | :x: | n/a | n/a | n/a | n/a | n/a | n/a | n/a | no ["SYS_ADMIN"] | +| **jitsi**/jitsi/jitsi/jicofo | :x: | no | no | no | no | 0 | 0 | yes | no | +| **jitsi**/jitsi/jitsi/jvb | :x: | no | no | no | no | 0 | 0 | yes | no | +| **jitsi**/jitsi/jitsi/prosody | :x: | no | no | no | no | 0 | 0 | yes | no | +| **jitsi**/jitsi/jitsi/web | :x: | no | no | no | no | 0 | 0 | yes | no | +| **jitsi**/jitsi/patchJVB | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes | +| **nextcloud**/opendesk-nextcloud-management | :x: | no | no | no | yes | 65532 | 65532 | yes | yes | +| **nextcloud**/opendesk-nextcloud/apache2 | :white_check_mark: | no | no | yes | yes | 65532 | 65532 | yes | yes | +| **nextcloud**/opendesk-nextcloud/exporter | :white_check_mark: | no | no | yes | yes | 65532 | 65532 | yes | yes | +| **nextcloud**/opendesk-nextcloud/php | :white_check_mark: | no | no | yes | yes | 65532 | 65532 | yes | yes | +| **open-xchange**/open-xchange/appsuite/core-documentconverter | :x: | no | no | no | yes | 987 | 1000 | yes | yes | +| **open-xchange**/open-xchange/appsuite/core-guidedtours | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes | +| **open-xchange**/open-xchange/appsuite/core-imageconverter | :x: | no | no | no | yes | 987 | 1000 | yes | yes | +| **open-xchange**/open-xchange/appsuite/core-mw/gotenberg | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes | +| **open-xchange**/open-xchange/appsuite/core-ui | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes | +| **open-xchange**/open-xchange/appsuite/core-ui-middleware | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes | +| **open-xchange**/open-xchange/appsuite/core-user-guide | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes | +| **open-xchange**/open-xchange/appsuite/guard-ui | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes | +| **open-xchange**/open-xchange/nextcloud-integration-ui | :x: | no | no | no | yes | 1000 | 1000 | yes | yes | +| **open-xchange**/open-xchange/public-sector-ui | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes | +| **openproject**/openproject | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes | +| **openproject-bootstrap**/opendesk-openproject-bootstrap | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes | +| **provisioning**/ox-connector | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] | +| **services**/clamav | :x: | no | no | yes | no | 0 | 0 | yes | no | +| **services**/clamav-simple | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes | +| **services**/clamav/clamd | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes | +| **services**/clamav/freshclam | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes | +| **services**/clamav/icap | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes | +| **services**/clamav/milter | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes | +| **services**/mariadb | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes | +| **services**/memcached | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes | +| **services**/minio | :x: | no | no | no | yes | 1000 | 0 | yes | yes | +| **services**/postfix | :x: | yes | yes | no | no | 0 | 0 | yes | no | +| **services**/postgresql | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes | +| **services**/redis/master | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes | +| **univention-management-stack**/opendesk-keycloak-bootstrap | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes | +| **univention-management-stack**/ums-guardian-authorization-api | :x: | no | no | no | yes | 1000 | 1000 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] | +| **univention-management-stack**/ums-guardian-management-api | :x: | no | no | no | yes | 1000 | 1000 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] | +| **univention-management-stack**/ums-guardian-management-ui | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] | +| **univention-management-stack**/ums-keycloak | :x: | no | no | no | yes | 1000 | 1000 | yes | yes | +| **univention-management-stack**/ums-keycloak-bootstrap | :x: | no | no | no | yes | 1000 | 1000 | yes | yes | +| **univention-management-stack**/ums-keycloak-extensions/handler | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes | +| **univention-management-stack**/ums-keycloak-extensions/proxy | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes | +| **univention-management-stack**/ums-ldap-notifier | :x: | no | no | no | no | 0 | 0 | yes | yes | +| **univention-management-stack**/ums-ldap-server | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] | +| **univention-management-stack**/ums-notifications-api | :x: | no | no | no | no | 1000 | 1000 | yes | yes | +| **univention-management-stack**/ums-open-policy-agent | :x: | no | no | no | yes | 1000 | 1000 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] | +| **univention-management-stack**/ums-portal-frontend | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] | +| **univention-management-stack**/ums-portal-listener | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] | +| **univention-management-stack**/ums-portal-server | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] | +| **univention-management-stack**/ums-provisioning/dispatcher | :x: | no | no | no | yes | 1000 | 1000 | yes | yes | +| **univention-management-stack**/ums-provisioning/events-and-consumer-api | :x: | no | no | no | yes | 1000 | 1000 | yes | yes | +| **univention-management-stack**/ums-provisioning/udm-listener | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] | +| **univention-management-stack**/ums-selfservice-listener | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] | +| **univention-management-stack**/ums-stack-data-swp | :x: | no | no | no | no | 0 | 0 | yes | yes | +| **univention-management-stack**/ums-stack-data-ums | :x: | no | no | no | no | 0 | 0 | yes | yes | +| **univention-management-stack**/ums-stack-gateway | :x: | no | no | no | yes | 1001 | 1001 | yes | yes | +| **univention-management-stack**/ums-store-dav | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] | +| **univention-management-stack**/ums-udm-rest-api | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] | +| **univention-management-stack**/ums-umc-gateway | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] | +| **univention-management-stack**/ums-umc-server | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] | +| **xwiki**/xwiki | :x: | no | no | no | yes | 100 | 101 | yes | yes | + + +This file is auto-generated by [openDesk CI CLI](https://gitlab.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli) diff --git a/docs/security.md b/docs/security.md index 5198bd45..67266415 100644 --- a/docs/security.md +++ b/docs/security.md @@ -29,78 +29,7 @@ All charts except the ones mentioned below are verifiable: This list gives you an overview of default security settings and if they comply with security standards: - -| Component | Process | = | allowPrivilegeEscalation (`false`) | capabilities (`drop: ALL`) | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup | -|-----------------------------|-------------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:| -| ClamAV | clamd | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 | -| | freshclam | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 | -| | icap | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 | -| | milter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 | -| Collabora | collabora | :x: | :x: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) | :white_check_mark: | :x: | :white_check_mark: | 100 | 101 | 100 | -| CryptPad | cryptpad | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 4001 | 4001 | 4001 | -| Dovecot | dovecot | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `KILL`, `NET_BIND_SERVICE`, `SETGID`, `SETUID`, `SYS_CHROOT`) | :white_check_mark: | :white_check_mark: | :x: | - | - | 1000 | -| Element | element | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 | -| | synapse | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 10991 | - | 10991 | -| | synapseWeb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 | -| | wellKnown | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 | -| IntercomService | intercom-service | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | 1000 | -| Jitsi | jibri | :x: | :x: | :x: (`SYS_ADMIN`) | :white_check_mark: | :x: | :x: | - | - | - | -| | jicofo | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - | -| | jitsiKeycloakAdapter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1993 | 1993 | - | -| | jvb | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - | -| | prosody | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - | -| | web | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - | -| MariaDB | mariadb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 | -| Memcached | memcached | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | - | 1001 | -| Minio | minio | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | 1000 | -| Nextcloud | opendesk-nextcloud-apache2 | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 65532 | 65532 | 65532 | -| | opendesk-nextcloud-cron | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 65532 | 65532 | 65532 | -| | opendesk-nextcloud-exporter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 65532 | 65532 | 65532 | -| | opendesk-nextcloud-management | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 65532 | 65532 | 65532 | -| | opendesk-nextcloud-php | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 65532 | 65532 | 65532 | -| Open-Xchange | core-documentconverter | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 987 | 1000 | - | -| | core-guidedtours | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - | -| | core-imageconverter | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 987 | 1000 | - | -| | core-mw-default | :x: | :x: | :x: | :x: | :x: | :x: | - | - | - | -| | core-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - | -| | core-ui-middleware | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - | -| | core-ui-middleware-updater | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - | -| | core-user-guide | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - | -| | gotenberg | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - | -| | guard-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - | -| | nextlcoud-integration-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - | -| | public-sector-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - | -| OpenProject | openproject | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | 1000 | -| | opendeskOpenprojectBootstrap | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | 1000 | -| Postfix | postfix | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | - | - | 101 | -| PostgreSQL | postgresql | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 | -| Redis | redis | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 0 | 1001 | -| Univention Management Stack | guardian-authorization-api | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - | -| | guardian-management-api | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - | -| | guardian-management-ui | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - | -| | keycloak | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 1000 | 1000 | 1000 | -| | keycloak-bootstrap | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 1000 | 1000 | 1000 | -| | keycloak-extension-handler | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - | -| | keycloak-extension-proxy | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - | -| | ldap-notifier | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - | -| | ldap-server | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - | -| | notifications-api | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - | -| | opendesk-keycloak-bootstrap | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | 1000 | -| | open-policy-agent | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - | -| | portal-frontend | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - | -| | portal-listener | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - | -| | portal-server | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - | -| | dispatcher | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - | -| | events-and-consumer-api | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - | -| | udm-listener | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - | -| | selfservice-listener | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - | -| | stack-gateway | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 | -| | store-dav | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - | -| | udm-rest-api | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - | -| | umc-gateway | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - | -| | umc-server | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`) | :white_check_mark: | :x: | :x: | - | - | - | -| XWiki | xwiki | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 100 | 101 | 101 | -| | xwiki initContainers | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | - | - | 101 | +⟶ Visit our generated detailed [Security Context](./security-context.md) overview. # NetworkPolicies diff --git a/helmfile/apps/cryptpad/values.yaml.gotmpl b/helmfile/apps/cryptpad/values.yaml.gotmpl index 138f5b36..4f2f014e 100644 --- a/helmfile/apps/cryptpad/values.yaml.gotmpl +++ b/helmfile/apps/cryptpad/values.yaml.gotmpl @@ -63,9 +63,10 @@ securityContext: capabilities: drop: - "ALL" + privileged: false seccompProfile: type: "RuntimeDefault" - # readOnlyRootFilesystem: true + readOnlyRootFilesystem: false runAsNonRoot: true runAsUser: 4001 runAsGroup: 4001 diff --git a/helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl b/helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl index a13fb9c1..d4e7ac2f 100644 --- a/helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl +++ b/helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl @@ -8,11 +8,10 @@ containerSecurityContext: - "ALL" enabled: true privileged: false - # TODO: the service can't run with read only filesystem or as non-root - # readOnlyRootFilesystem: true - # runAsGroup: 101 - # runAsNonRoot: true - # runAsUser: 101 + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 seccompProfile: type: "RuntimeDefault" diff --git a/helmfile/apps/element/values-synapse.yaml.gotmpl b/helmfile/apps/element/values-synapse.yaml.gotmpl index 0c7394fb..40a3d02f 100644 --- a/helmfile/apps/element/values-synapse.yaml.gotmpl +++ b/helmfile/apps/element/values-synapse.yaml.gotmpl @@ -76,6 +76,7 @@ containerSecurityContext: readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 10991 + runAsGroup: 10991 seccompProfile: type: "RuntimeDefault" diff --git a/helmfile/apps/intercom-service/values.yaml.gotmpl b/helmfile/apps/intercom-service/values.yaml.gotmpl index a721ed65..67624896 100644 --- a/helmfile/apps/intercom-service/values.yaml.gotmpl +++ b/helmfile/apps/intercom-service/values.yaml.gotmpl @@ -7,6 +7,7 @@ containerSecurityContext: drop: - "ALL" enabled: true + privileged: false runAsUser: 1000 runAsGroup: 1000 seccompProfile: diff --git a/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl b/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl index cd24b31f..8a64dc92 100644 --- a/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl +++ b/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl @@ -14,6 +14,7 @@ containerSecurityContext: allowPrivilegeEscalation: false enabled: true readOnlyRootFilesystem: true + privileged: false capabilities: drop: - "ALL" @@ -63,6 +64,14 @@ jitsi: resources: {{ .Values.resources.jitsi | toYaml | nindent 6 }} securityContext: + allowPrivilegeEscalation: false + capabilities: {} + enabled: true + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 seccompProfile: type: "RuntimeDefault" prosody: @@ -102,6 +111,14 @@ jitsi: size: {{ .Values.persistence.size.prosody | quote }} storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }} securityContext: + allowPrivilegeEscalation: false + capabilities: {} + enabled: true + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 seccompProfile: type: "RuntimeDefault" jicofo: @@ -115,6 +132,14 @@ jitsi: resources: {{ .Values.resources.jicofo | toYaml | nindent 6 }} securityContext: + allowPrivilegeEscalation: false + capabilities: {} + enabled: true + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 seccompProfile: type: "RuntimeDefault" jvb: @@ -129,6 +154,14 @@ jitsi: service: type: {{ .Values.cluster.service.type | quote }} securityContext: + allowPrivilegeEscalation: false + capabilities: {} + enabled: true + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 seccompProfile: type: "RuntimeDefault" jibri: @@ -143,8 +176,9 @@ jitsi: resources: {{ .Values.resources.jibri | toYaml | nindent 6 }} securityContext: - seccompProfile: - type: "RuntimeDefault" + # Chart does not allow to template more + capabilities: + add: ["SYS_ADMIN"] imagePullSecrets: {{- range .Values.global.imagePullSecrets }} - name: {{ . | quote }} @@ -156,8 +190,15 @@ patchJVB: loadbalancerStatusField: {{ .Values.cluster.networking.loadBalancerStatusField | quote }} containerSecurityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" enabled: true + privileged: false readOnlyRootFilesystem: true + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true seccompProfile: type: "RuntimeDefault" image: diff --git a/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl b/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl index 480e0f94..b50f9bb1 100644 --- a/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl +++ b/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl @@ -80,6 +80,7 @@ containerSecurityContext: drop: - "ALL" enabled: true + privileged: false runAsUser: 65532 runAsGroup: 65532 seccompProfile: diff --git a/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl b/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl index 1ea80bea..d5cac32e 100644 --- a/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl +++ b/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl @@ -18,6 +18,7 @@ exporter: drop: - "ALL" enabled: true + privileged: false runAsUser: 65532 runAsGroup: 65532 seccompProfile: @@ -69,6 +70,7 @@ php: drop: - "ALL" enabled: true + privileged: false runAsUser: 65532 runAsGroup: 65532 seccompProfile: @@ -107,6 +109,7 @@ apache2: drop: - "ALL" enabled: true + privileged: false runAsUser: 65532 runAsGroup: 65532 seccompProfile: diff --git a/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl b/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl index 3c125b25..e2e8a36c 100644 --- a/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl +++ b/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl @@ -32,10 +32,12 @@ nextcloud-integration-ui: capabilities: drop: - "ALL" - readOnlyRootFilesystem: true + privileged: false + readOnlyRootFilesystem: false runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 + privileged: false seccompProfile: type: "RuntimeDefault" @@ -56,10 +58,12 @@ public-sector-ui: capabilities: drop: - "ALL" + privileged: false readOnlyRootFilesystem: true runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 + privileged: false seccompProfile: type: "RuntimeDefault" @@ -121,6 +125,8 @@ appsuite: readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1001 + runAsGroup: 1001 + privileged: false seccompProfile: type: "RuntimeDefault" hooks: @@ -344,6 +350,7 @@ appsuite: runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 + privileged: false seccompProfile: type: "RuntimeDefault" @@ -384,6 +391,7 @@ appsuite: runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 + privileged: false seccompProfile: type: "RuntimeDefault" @@ -400,18 +408,17 @@ appsuite: registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeDocumentConverter.registry | quote }} repository: {{ .Values.images.openxchangeDocumentConverter.repository | quote }} tag: {{ .Values.images.openxchangeDocumentConverter.tag | quote }} - podSecurityContext: + resources: + {{- .Values.resources.openxchangeCoreDocumentConverter | toYaml | nindent 6 }} + securityContext: runAsGroup: 1000 runAsNonRoot: true runAsUser: 987 seccompProfile: type: "RuntimeDefault" - resources: - {{- .Values.resources.openxchangeCoreDocumentConverter | toYaml | nindent 6 }} - securityContext: - # missing: - # readOnlyRootFilesystem: true + readOnlyRootFilesystem: false allowPrivilegeEscalation: false + privileged: false capabilities: drop: - "ALL" @@ -455,6 +462,7 @@ appsuite: runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 + privileged: false seccompProfile: type: "RuntimeDefault" @@ -470,18 +478,17 @@ appsuite: endpoint: "." accessKey: "." secretKey: "." - podSecurityContext: + resources: + {{- .Values.resources.openxchangeCoreImageConverter | toYaml | nindent 6 }} + securityContext: runAsGroup: 1000 runAsNonRoot: true runAsUser: 987 seccompProfile: type: "RuntimeDefault" - resources: - {{- .Values.resources.openxchangeCoreImageConverter | toYaml | nindent 6 }} - securityContext: - # missing: - # readOnlyRootFilesystem: true + readOnlyRootFilesystem: false allowPrivilegeEscalation: false + privileged: false capabilities: drop: - "ALL" @@ -509,6 +516,7 @@ appsuite: runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 + privileged: false seccompProfile: type: "RuntimeDefault" @@ -537,6 +545,7 @@ appsuite: runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 + privileged: false seccompProfile: type: "RuntimeDefault" ... diff --git a/helmfile/apps/openproject/values.yaml.gotmpl b/helmfile/apps/openproject/values.yaml.gotmpl index a1da2b51..b90d1bb1 100644 --- a/helmfile/apps/openproject/values.yaml.gotmpl +++ b/helmfile/apps/openproject/values.yaml.gotmpl @@ -9,6 +9,7 @@ global: containerSecurityContext: enabled: true + privileged: false runAsUser: 1000 runAsGroup: 1000 allowPrivilegeEscalation: false diff --git a/helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl b/helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl index 3c531a3f..5a0e04c5 100644 --- a/helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl +++ b/helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl @@ -79,6 +79,10 @@ securityContext: privileged: false seccompProfile: type: "RuntimeDefault" + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false + readOnlyRootFilesystem: false serviceAccount: create: true diff --git a/helmfile/apps/services/values-clamav-distributed.yaml.gotmpl b/helmfile/apps/services/values-clamav-distributed.yaml.gotmpl index 2ba55b4d..c82f43a2 100644 --- a/helmfile/apps/services/values-clamav-distributed.yaml.gotmpl +++ b/helmfile/apps/services/values-clamav-distributed.yaml.gotmpl @@ -8,6 +8,7 @@ clamd: drop: - "ALL" enabled: true + privileged: false runAsUser: 100 runAsGroup: 101 seccompProfile: @@ -31,6 +32,14 @@ containerSecurityContext: allowPrivilegeEscalation: false enabled: true readOnlyRootFilesystem: true + runAsUser: 0 + runAsGroup: 0 + seccompProfile: + type: "RuntimeDefault" + runAsNonRoot: false + capabilities: + drop: [] + privileged: false freshclam: containerSecurityContext: @@ -39,6 +48,7 @@ freshclam: drop: - "ALL" enabled: true + privileged: false runAsUser: 100 runAsGroup: 101 seccompProfile: @@ -71,6 +81,7 @@ icap: enabled: true runAsUser: 100 runAsGroup: 101 + privileged: false seccompProfile: type: "RuntimeDefault" readOnlyRootFilesystem: true @@ -97,6 +108,7 @@ milter: enabled: true runAsUser: 100 runAsGroup: 101 + privileged: false seccompProfile: type: "RuntimeDefault" readOnlyRootFilesystem: true diff --git a/helmfile/apps/services/values-clamav-simple.yaml.gotmpl b/helmfile/apps/services/values-clamav-simple.yaml.gotmpl index 22998bde..b2a69fff 100644 --- a/helmfile/apps/services/values-clamav-simple.yaml.gotmpl +++ b/helmfile/apps/services/values-clamav-simple.yaml.gotmpl @@ -7,10 +7,13 @@ containerSecurityContext: drop: - "ALL" enabled: true + privileged: false runAsUser: 100 runAsGroup: 101 seccompProfile: type: "RuntimeDefault" + readOnlyRootFilesystem: true + runAsNonRoot: true global: imagePullSecrets: diff --git a/helmfile/apps/services/values-memcached.yaml.gotmpl b/helmfile/apps/services/values-memcached.yaml.gotmpl index dc095440..a9f10c31 100644 --- a/helmfile/apps/services/values-memcached.yaml.gotmpl +++ b/helmfile/apps/services/values-memcached.yaml.gotmpl @@ -7,7 +7,9 @@ containerSecurityContext: drop: - "ALL" enabled: true + privileged: false runAsUser: 1001 + runAsGroup: 1001 runAsNonRoot: true seccompProfile: type: "RuntimeDefault" diff --git a/helmfile/apps/services/values-minio.yaml.gotmpl b/helmfile/apps/services/values-minio.yaml.gotmpl index f92b2dce..65f0f887 100644 --- a/helmfile/apps/services/values-minio.yaml.gotmpl +++ b/helmfile/apps/services/values-minio.yaml.gotmpl @@ -24,7 +24,9 @@ containerSecurityContext: - "ALL" privileged: false runAsUser: 1000 + runAsGroup: 0 runAsNonRoot: true + readOnlyRootFilesystem: false seccompProfile: type: "RuntimeDefault" diff --git a/helmfile/apps/services/values-postfix.yaml.gotmpl b/helmfile/apps/services/values-postfix.yaml.gotmpl index 5fe458e0..aa13e838 100644 --- a/helmfile/apps/services/values-postfix.yaml.gotmpl +++ b/helmfile/apps/services/values-postfix.yaml.gotmpl @@ -14,6 +14,9 @@ containerSecurityContext: type: "RuntimeDefault" readOnlyRootFilesystem: false runAsNonRoot: false + runAsUser: 0 + runAsGroup: 0 + privileged: true global: imagePullSecrets: diff --git a/helmfile/apps/services/values-redis.yaml.gotmpl b/helmfile/apps/services/values-redis.yaml.gotmpl index 36d5a498..5848cadf 100644 --- a/helmfile/apps/services/values-redis.yaml.gotmpl +++ b/helmfile/apps/services/values-redis.yaml.gotmpl @@ -19,6 +19,7 @@ image: master: containerSecurityContext: + privileged: false readOnlyRootFilesystem: true runAsUser: 1001 runAsGroup: 1001 diff --git a/helmfile/apps/univention-management-stack/values-guardian-authorization-api.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-guardian-authorization-api.yaml.gotmpl index 22b0d861..f1ec4ce5 100644 --- a/helmfile/apps/univention-management-stack/values-guardian-authorization-api.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-guardian-authorization-api.yaml.gotmpl @@ -51,5 +51,9 @@ securityContext: privileged: false seccompProfile: type: "RuntimeDefault" + runAsUser: 1000 + runAsGroup: 1000 + runAsNonRoot: true + readOnlyRootFilesystem: false ... diff --git a/helmfile/apps/univention-management-stack/values-guardian-management-api.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-guardian-management-api.yaml.gotmpl index a6b2c70f..987890a0 100644 --- a/helmfile/apps/univention-management-stack/values-guardian-management-api.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-guardian-management-api.yaml.gotmpl @@ -69,5 +69,9 @@ securityContext: privileged: false seccompProfile: type: "RuntimeDefault" + runAsUser: 1000 + runAsGroup: 1000 + runAsNonRoot: true + readOnlyRootFilesystem: false ... diff --git a/helmfile/apps/univention-management-stack/values-guardian-management-ui.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-guardian-management-ui.yaml.gotmpl index bfe560c9..cc5a9a5f 100644 --- a/helmfile/apps/univention-management-stack/values-guardian-management-ui.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-guardian-management-ui.yaml.gotmpl @@ -42,5 +42,9 @@ securityContext: privileged: false seccompProfile: type: "RuntimeDefault" + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false + readOnlyRootFilesystem: false ... diff --git a/helmfile/apps/univention-management-stack/values-ldap-notifier.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-ldap-notifier.yaml.gotmpl index 74827c07..2f85cfe2 100644 --- a/helmfile/apps/univention-management-stack/values-ldap-notifier.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-ldap-notifier.yaml.gotmpl @@ -22,6 +22,11 @@ securityContext: privileged: false seccompProfile: type: "RuntimeDefault" + privileged: false + readOnlyRootFilesystem: false + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false volumes: claims: diff --git a/helmfile/apps/univention-management-stack/values-ldap-server.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-ldap-server.yaml.gotmpl index d51c3ecd..23876e15 100644 --- a/helmfile/apps/univention-management-stack/values-ldap-server.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-ldap-server.yaml.gotmpl @@ -72,6 +72,10 @@ securityContext: privileged: false seccompProfile: type: "RuntimeDefault" + readOnlyRootFilesystem: false + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false service: type: "ClusterIP" diff --git a/helmfile/apps/univention-management-stack/values-notifications-api.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-notifications-api.yaml.gotmpl index 4a89f7d2..c8777c0f 100644 --- a/helmfile/apps/univention-management-stack/values-notifications-api.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-notifications-api.yaml.gotmpl @@ -40,5 +40,9 @@ securityContext: privileged: false seccompProfile: type: "RuntimeDefault" + readOnlyRootFilesystem: false + runAsUser: 1000 + runAsGroup: 1000 + runAsNonRoot: false ... diff --git a/helmfile/apps/univention-management-stack/values-open-policy-agent.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-open-policy-agent.yaml.gotmpl index f962d241..64085de2 100644 --- a/helmfile/apps/univention-management-stack/values-open-policy-agent.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-open-policy-agent.yaml.gotmpl @@ -42,5 +42,9 @@ securityContext: privileged: false seccompProfile: type: "RuntimeDefault" + readOnlyRootFilesystem: false + runAsUser: 1000 + runAsGroup: 1000 + runAsNonRoot: true ... diff --git a/helmfile/apps/univention-management-stack/values-portal-frontend.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-portal-frontend.yaml.gotmpl index 103aff73..3fcd559e 100644 --- a/helmfile/apps/univention-management-stack/values-portal-frontend.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-portal-frontend.yaml.gotmpl @@ -106,5 +106,9 @@ securityContext: privileged: false seccompProfile: type: "RuntimeDefault" + readOnlyRootFilesystem: false + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false ... diff --git a/helmfile/apps/univention-management-stack/values-portal-listener.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-portal-listener.yaml.gotmpl index 0abbf333..b5fd54e9 100644 --- a/helmfile/apps/univention-management-stack/values-portal-listener.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-portal-listener.yaml.gotmpl @@ -71,5 +71,9 @@ securityContext: privileged: false seccompProfile: type: "RuntimeDefault" + readOnlyRootFilesystem: false + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false ... diff --git a/helmfile/apps/univention-management-stack/values-portal-server.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-portal-server.yaml.gotmpl index 8df1b95b..fe093d45 100644 --- a/helmfile/apps/univention-management-stack/values-portal-server.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-portal-server.yaml.gotmpl @@ -46,5 +46,9 @@ securityContext: privileged: false seccompProfile: type: "RuntimeDefault" + readOnlyRootFilesystem: false + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false ... diff --git a/helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl index 065f8916..f1ae172c 100644 --- a/helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl @@ -24,6 +24,10 @@ dispatcher: privileged: false seccompProfile: type: "RuntimeDefault" + runAsUser: 1000 + runAsGroup: 1000 + runAsNonRoot: true + readOnlyRootFilesystem: false events-and-consumer-api: image: @@ -54,6 +58,10 @@ events-and-consumer-api: privileged: false seccompProfile: type: "RuntimeDefault" + runAsUser: 1000 + runAsGroup: 1000 + runAsNonRoot: true + readOnlyRootFilesystem: false udm-listener: image: @@ -92,6 +100,10 @@ udm-listener: privileged: false seccompProfile: type: "RuntimeDefault" + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false + readOnlyRootFilesystem: false nats: global: diff --git a/helmfile/apps/univention-management-stack/values-selfservice-listener.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-selfservice-listener.yaml.gotmpl index e6132068..a8050665 100644 --- a/helmfile/apps/univention-management-stack/values-selfservice-listener.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-selfservice-listener.yaml.gotmpl @@ -69,5 +69,9 @@ securityContext: privileged: false seccompProfile: type: "RuntimeDefault" + readOnlyRootFilesystem: false + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false ... diff --git a/helmfile/apps/univention-management-stack/values-stack-data-swp.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-stack-data-swp.yaml.gotmpl index f375a1b5..81760a4a 100644 --- a/helmfile/apps/univention-management-stack/values-stack-data-swp.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-stack-data-swp.yaml.gotmpl @@ -25,6 +25,10 @@ securityContext: privileged: false seccompProfile: type: "RuntimeDefault" + readOnlyRootFilesystem: false + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false stackDataContext: ldapBase: "dc=swp-ldap,dc=internal" diff --git a/helmfile/apps/univention-management-stack/values-stack-data-ums.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-stack-data-ums.yaml.gotmpl index a60958fa..7d111150 100644 --- a/helmfile/apps/univention-management-stack/values-stack-data-ums.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-stack-data-ums.yaml.gotmpl @@ -25,6 +25,10 @@ securityContext: privileged: false seccompProfile: type: "RuntimeDefault" + readOnlyRootFilesystem: false + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false stackDataContext: idpSamlMetadataUrlInternal: null diff --git a/helmfile/apps/univention-management-stack/values-store-dav.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-store-dav.yaml.gotmpl index 9518f339..85b749e6 100644 --- a/helmfile/apps/univention-management-stack/values-store-dav.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-store-dav.yaml.gotmpl @@ -49,6 +49,10 @@ securityContext: privileged: false seccompProfile: type: "RuntimeDefault" + readOnlyRootFilesystem: false + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false storeDav: auth: diff --git a/helmfile/apps/univention-management-stack/values-udm-rest-api.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-udm-rest-api.yaml.gotmpl index 4893a6b0..f650d68c 100644 --- a/helmfile/apps/univention-management-stack/values-udm-rest-api.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-udm-rest-api.yaml.gotmpl @@ -47,6 +47,10 @@ securityContext: privileged: false seccompProfile: type: "RuntimeDefault" + readOnlyRootFilesystem: false + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false udmRestApi: # TODO: Stub value currently diff --git a/helmfile/apps/univention-management-stack/values-umc-gateway.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-umc-gateway.yaml.gotmpl index dc8db89e..a8547eb9 100644 --- a/helmfile/apps/univention-management-stack/values-umc-gateway.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-umc-gateway.yaml.gotmpl @@ -54,5 +54,9 @@ securityContext: privileged: false seccompProfile: type: "RuntimeDefault" + readOnlyRootFilesystem: false + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false ... diff --git a/helmfile/apps/univention-management-stack/values-umc-server.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-umc-server.yaml.gotmpl index 65e7ecd0..25bb5c5f 100644 --- a/helmfile/apps/univention-management-stack/values-umc-server.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-umc-server.yaml.gotmpl @@ -90,6 +90,10 @@ securityContext: privileged: false seccompProfile: type: "RuntimeDefault" + readOnlyRootFilesystem: false + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false umcServer: certPemFile: "/var/secrets/ssl/tls.crt" diff --git a/helmfile/apps/univention-management-stack/values-ums-keycloak-bootstrap.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-ums-keycloak-bootstrap.yaml.gotmpl index 9f3e61f6..5792f806 100644 --- a/helmfile/apps/univention-management-stack/values-ums-keycloak-bootstrap.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-ums-keycloak-bootstrap.yaml.gotmpl @@ -60,6 +60,7 @@ containerSecurityContext: drop: - "ALL" readOnlyRootFilesystem: false + privileged: false runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 diff --git a/helmfile/apps/univention-management-stack/values-ums-keycloak-extensions.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-ums-keycloak-extensions.yaml.gotmpl index 0436c7d9..e99d3d8b 100644 --- a/helmfile/apps/univention-management-stack/values-ums-keycloak-extensions.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-ums-keycloak-extensions.yaml.gotmpl @@ -40,6 +40,7 @@ handler: seccompProfile: type: "RuntimeDefault" readOnlyRootFilesystem: true + privileged: false runAsUser: 1000 runAsGroup: 1000 runAsNonRoot: true @@ -82,6 +83,7 @@ proxy: - "ALL" seccompProfile: type: "RuntimeDefault" + privileged: false readOnlyRootFilesystem: true runAsUser: 1000 runAsGroup: 1000 diff --git a/helmfile/apps/univention-management-stack/values-ums-keycloak.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-ums-keycloak.yaml.gotmpl index 9fd1055d..65499eb6 100644 --- a/helmfile/apps/univention-management-stack/values-ums-keycloak.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-ums-keycloak.yaml.gotmpl @@ -39,6 +39,7 @@ containerSecurityContext: - "ALL" seccompProfile: type: "RuntimeDefault" + privileged: false readOnlyRootFilesystem: false runAsUser: 1000 runAsGroup: 1000 diff --git a/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl index 2e7264a7..8e7f4171 100644 --- a/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl +++ b/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl @@ -35,6 +35,7 @@ podSecurityContext: containerSecurityContext: enabled: true runAsUser: 1001 + runAsGroup: 0 runAsNonRoot: true privileged: false readOnlyRootFilesystem: false diff --git a/helmfile/apps/xwiki/values.yaml.gotmpl b/helmfile/apps/xwiki/values.yaml.gotmpl index 80ff0061..116e9b8a 100644 --- a/helmfile/apps/xwiki/values.yaml.gotmpl +++ b/helmfile/apps/xwiki/values.yaml.gotmpl @@ -18,9 +18,15 @@ externalDB: customKeyRef: enabled: false + +securityContext: + enabled: true + fsGroup: 101 + containerSecurityContext: allowPrivilegeEscalation: false enabled: true + privileged: false runAsUser: 100 runAsGroup: 101 runAsNonRoot: true @@ -29,6 +35,7 @@ containerSecurityContext: - "ALL" seccompProfile: type: "RuntimeDefault" + readOnlyRootFilesystem: false customConfigs: xwiki.cfg: @@ -158,12 +165,6 @@ replicaCount: {{ .Values.replicas.xwiki }} resources: {{ .Values.resources.xwiki | toYaml | nindent 2 }} -securityContext: - enabled: true - fsGroup: 101 - seccompProfile: - type: "RuntimeDefault" - service: externalPort: 80 enabled: true