sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-06 23:41:43 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix(docs): Add generated security-context.md

Browse Source
This commit is contained in:
Dominik Kaminski
2024-02-11 21:09:31 +01:00
parent 01599022f1
commit d9e07ff7bd
46 changed files with 479 additions and 109 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
helmfile/apps/cryptpad/values.yaml.gotmpl
View File

@@ -63,9 +63,10 @@ securityContext:
capabilities:
drop:
- "ALL"
privileged: false
seccompProfile:
type: "RuntimeDefault"
# readOnlyRootFilesystem: true
readOnlyRootFilesystem: false
runAsNonRoot: true
runAsUser: 4001
runAsGroup: 4001

9
helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl
View File

@@ -8,11 +8,10 @@ containerSecurityContext:
- "ALL"
enabled: true
privileged: false
# TODO: the service can't run with read only filesystem or as non-root
# readOnlyRootFilesystem: true
# runAsGroup: 101
# runAsNonRoot: true
# runAsUser: 101
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
seccompProfile:
type: "RuntimeDefault"

1
helmfile/apps/element/values-synapse.yaml.gotmpl
View File

@@ -76,6 +76,7 @@ containerSecurityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 10991
runAsGroup: 10991
seccompProfile:
type: "RuntimeDefault"

1
helmfile/apps/intercom-service/values.yaml.gotmpl
View File

@@ -7,6 +7,7 @@ containerSecurityContext:
drop:
- "ALL"
enabled: true
privileged: false
runAsUser: 1000
runAsGroup: 1000
seccompProfile:

45
helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
View File

@@ -14,6 +14,7 @@ containerSecurityContext:
allowPrivilegeEscalation: false
enabled: true
readOnlyRootFilesystem: true
privileged: false
capabilities:
drop:
- "ALL"
@@ -63,6 +64,14 @@ jitsi:
resources:
{{ .Values.resources.jitsi | toYaml | nindent 6 }}
securityContext:
allowPrivilegeEscalation: false
capabilities: {}
enabled: true
privileged: false
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
seccompProfile:
type: "RuntimeDefault"
prosody:
@@ -102,6 +111,14 @@ jitsi:
size: {{ .Values.persistence.size.prosody | quote }}
storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
securityContext:
allowPrivilegeEscalation: false
capabilities: {}
enabled: true
privileged: false
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
seccompProfile:
type: "RuntimeDefault"
jicofo:
@@ -115,6 +132,14 @@ jitsi:
resources:
{{ .Values.resources.jicofo | toYaml | nindent 6 }}
securityContext:
allowPrivilegeEscalation: false
capabilities: {}
enabled: true
privileged: false
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
seccompProfile:
type: "RuntimeDefault"
jvb:
@@ -129,6 +154,14 @@ jitsi:
service:
type: {{ .Values.cluster.service.type | quote }}
securityContext:
allowPrivilegeEscalation: false
capabilities: {}
enabled: true
privileged: false
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
seccompProfile:
type: "RuntimeDefault"
jibri:
@@ -143,8 +176,9 @@ jitsi:
resources:
{{ .Values.resources.jibri | toYaml | nindent 6 }}
securityContext:
seccompProfile:
type: "RuntimeDefault"
# Chart does not allow to template more
capabilities:
add: ["SYS_ADMIN"]
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . | quote }}
@@ -156,8 +190,15 @@ patchJVB:
loadbalancerStatusField: {{ .Values.cluster.networking.loadBalancerStatusField | quote }}
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 1001
runAsNonRoot: true
seccompProfile:
type: "RuntimeDefault"
image:

1
helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
View File

@@ -80,6 +80,7 @@ containerSecurityContext:
drop:
- "ALL"
enabled: true
privileged: false
runAsUser: 65532
runAsGroup: 65532
seccompProfile:

3
helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
View File

@@ -18,6 +18,7 @@ exporter:
drop:
- "ALL"
enabled: true
privileged: false
runAsUser: 65532
runAsGroup: 65532
seccompProfile:
@@ -69,6 +70,7 @@ php:
drop:
- "ALL"
enabled: true
privileged: false
runAsUser: 65532
runAsGroup: 65532
seccompProfile:
@@ -107,6 +109,7 @@ apache2:
drop:
- "ALL"
enabled: true
privileged: false
runAsUser: 65532
runAsGroup: 65532
seccompProfile:

35
helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
View File

@@ -32,10 +32,12 @@ nextcloud-integration-ui:
capabilities:
drop:
- "ALL"
readOnlyRootFilesystem: true
privileged: false
readOnlyRootFilesystem: false
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
privileged: false
seccompProfile:
type: "RuntimeDefault"
@@ -56,10 +58,12 @@ public-sector-ui:
capabilities:
drop:
- "ALL"
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
privileged: false
seccompProfile:
type: "RuntimeDefault"
@@ -121,6 +125,8 @@ appsuite:
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1001
runAsGroup: 1001
privileged: false
seccompProfile:
type: "RuntimeDefault"
hooks:
@@ -344,6 +350,7 @@ appsuite:
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
privileged: false
seccompProfile:
type: "RuntimeDefault"
@@ -384,6 +391,7 @@ appsuite:
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
privileged: false
seccompProfile:
type: "RuntimeDefault"
@@ -400,18 +408,17 @@ appsuite:
registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeDocumentConverter.registry | quote }}
repository: {{ .Values.images.openxchangeDocumentConverter.repository | quote }}
tag: {{ .Values.images.openxchangeDocumentConverter.tag | quote }}
podSecurityContext:
resources:
{{- .Values.resources.openxchangeCoreDocumentConverter | toYaml | nindent 6 }}
securityContext:
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 987
seccompProfile:
type: "RuntimeDefault"
resources:
{{- .Values.resources.openxchangeCoreDocumentConverter | toYaml | nindent 6 }}
securityContext:
# missing:
# readOnlyRootFilesystem: true
readOnlyRootFilesystem: false
allowPrivilegeEscalation: false
privileged: false
capabilities:
drop:
- "ALL"
@@ -455,6 +462,7 @@ appsuite:
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
privileged: false
seccompProfile:
type: "RuntimeDefault"
@@ -470,18 +478,17 @@ appsuite:
endpoint: "."
accessKey: "."
secretKey: "."
podSecurityContext:
resources:
{{- .Values.resources.openxchangeCoreImageConverter | toYaml | nindent 6 }}
securityContext:
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 987
seccompProfile:
type: "RuntimeDefault"
resources:
{{- .Values.resources.openxchangeCoreImageConverter | toYaml | nindent 6 }}
securityContext:
# missing:
# readOnlyRootFilesystem: true
readOnlyRootFilesystem: false
allowPrivilegeEscalation: false
privileged: false
capabilities:
drop:
- "ALL"
@@ -509,6 +516,7 @@ appsuite:
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
privileged: false
seccompProfile:
type: "RuntimeDefault"
@@ -537,6 +545,7 @@ appsuite:
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
privileged: false
seccompProfile:
type: "RuntimeDefault"
...

1
helmfile/apps/openproject/values.yaml.gotmpl
View File

@@ -9,6 +9,7 @@ global:
containerSecurityContext:
enabled: true
privileged: false
runAsUser: 1000
runAsGroup: 1000
allowPrivilegeEscalation: false

4
helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl
View File

@@ -79,6 +79,10 @@ securityContext:
privileged: false
seccompProfile:
type: "RuntimeDefault"
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
readOnlyRootFilesystem: false
serviceAccount:
create: true

12
helmfile/apps/services/values-clamav-distributed.yaml.gotmpl
View File

@@ -8,6 +8,7 @@ clamd:
drop:
- "ALL"
enabled: true
privileged: false
runAsUser: 100
runAsGroup: 101
seccompProfile:
@@ -31,6 +32,14 @@ containerSecurityContext:
allowPrivilegeEscalation: false
enabled: true
readOnlyRootFilesystem: true
runAsUser: 0
runAsGroup: 0
seccompProfile:
type: "RuntimeDefault"
runAsNonRoot: false
capabilities:
drop: []
privileged: false
freshclam:
containerSecurityContext:
@@ -39,6 +48,7 @@ freshclam:
drop:
- "ALL"
enabled: true
privileged: false
runAsUser: 100
runAsGroup: 101
seccompProfile:
@@ -71,6 +81,7 @@ icap:
enabled: true
runAsUser: 100
runAsGroup: 101
privileged: false
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
@@ -97,6 +108,7 @@ milter:
enabled: true
runAsUser: 100
runAsGroup: 101
privileged: false
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true

3
helmfile/apps/services/values-clamav-simple.yaml.gotmpl
View File

@@ -7,10 +7,13 @@ containerSecurityContext:
drop:
- "ALL"
enabled: true
privileged: false
runAsUser: 100
runAsGroup: 101
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
global:
imagePullSecrets:

2
helmfile/apps/services/values-memcached.yaml.gotmpl
View File

@@ -7,7 +7,9 @@ containerSecurityContext:
drop:
- "ALL"
enabled: true
privileged: false
runAsUser: 1001
runAsGroup: 1001
runAsNonRoot: true
seccompProfile:
type: "RuntimeDefault"

2
helmfile/apps/services/values-minio.yaml.gotmpl
View File

@@ -24,7 +24,9 @@ containerSecurityContext:
- "ALL"
privileged: false
runAsUser: 1000
runAsGroup: 0
runAsNonRoot: true
readOnlyRootFilesystem: false
seccompProfile:
type: "RuntimeDefault"

3
helmfile/apps/services/values-postfix.yaml.gotmpl
View File

@@ -14,6 +14,9 @@ containerSecurityContext:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsNonRoot: false
runAsUser: 0
runAsGroup: 0
privileged: true
global:
imagePullSecrets:

1
helmfile/apps/services/values-redis.yaml.gotmpl
View File

@@ -19,6 +19,7 @@ image:
master:
containerSecurityContext:
privileged: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 1001

4
helmfile/apps/univention-management-stack/values-guardian-authorization-api.yaml.gotmpl
View File

@@ -51,5 +51,9 @@ securityContext:
privileged: false
seccompProfile:
type: "RuntimeDefault"
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
readOnlyRootFilesystem: false
...

4
helmfile/apps/univention-management-stack/values-guardian-management-api.yaml.gotmpl
View File

@@ -69,5 +69,9 @@ securityContext:
privileged: false
seccompProfile:
type: "RuntimeDefault"
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
readOnlyRootFilesystem: false
...

4
helmfile/apps/univention-management-stack/values-guardian-management-ui.yaml.gotmpl
View File

@@ -42,5 +42,9 @@ securityContext:
privileged: false
seccompProfile:
type: "RuntimeDefault"
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
readOnlyRootFilesystem: false
...

5
helmfile/apps/univention-management-stack/values-ldap-notifier.yaml.gotmpl
View File

@@ -22,6 +22,11 @@ securityContext:
privileged: false
seccompProfile:
type: "RuntimeDefault"
privileged: false
readOnlyRootFilesystem: false
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
volumes:
claims:

4
helmfile/apps/univention-management-stack/values-ldap-server.yaml.gotmpl
View File

@@ -72,6 +72,10 @@ securityContext:
privileged: false
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
service:
type: "ClusterIP"

4
helmfile/apps/univention-management-stack/values-notifications-api.yaml.gotmpl
View File

@@ -40,5 +40,9 @@ securityContext:
privileged: false
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: false
...

4
helmfile/apps/univention-management-stack/values-open-policy-agent.yaml.gotmpl
View File

@@ -42,5 +42,9 @@ securityContext:
privileged: false
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
...

4
helmfile/apps/univention-management-stack/values-portal-frontend.yaml.gotmpl
View File

@@ -106,5 +106,9 @@ securityContext:
privileged: false
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
...

4
helmfile/apps/univention-management-stack/values-portal-listener.yaml.gotmpl
View File

@@ -71,5 +71,9 @@ securityContext:
privileged: false
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
...

4
helmfile/apps/univention-management-stack/values-portal-server.yaml.gotmpl
View File

@@ -46,5 +46,9 @@ securityContext:
privileged: false
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
...

12
helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl
View File

@@ -24,6 +24,10 @@ dispatcher:
privileged: false
seccompProfile:
type: "RuntimeDefault"
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
readOnlyRootFilesystem: false
events-and-consumer-api:
image:
@@ -54,6 +58,10 @@ events-and-consumer-api:
privileged: false
seccompProfile:
type: "RuntimeDefault"
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
readOnlyRootFilesystem: false
udm-listener:
image:
@@ -92,6 +100,10 @@ udm-listener:
privileged: false
seccompProfile:
type: "RuntimeDefault"
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
readOnlyRootFilesystem: false
nats:
global:

4
helmfile/apps/univention-management-stack/values-selfservice-listener.yaml.gotmpl
View File

@@ -69,5 +69,9 @@ securityContext:
privileged: false
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
...

4
helmfile/apps/univention-management-stack/values-stack-data-swp.yaml.gotmpl
View File

@@ -25,6 +25,10 @@ securityContext:
privileged: false
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
stackDataContext:
ldapBase: "dc=swp-ldap,dc=internal"

4
helmfile/apps/univention-management-stack/values-stack-data-ums.yaml.gotmpl
View File

@@ -25,6 +25,10 @@ securityContext:
privileged: false
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
stackDataContext:
idpSamlMetadataUrlInternal: null

4
helmfile/apps/univention-management-stack/values-store-dav.yaml.gotmpl
View File

@@ -49,6 +49,10 @@ securityContext:
privileged: false
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
storeDav:
auth:

4
helmfile/apps/univention-management-stack/values-udm-rest-api.yaml.gotmpl
View File

@@ -47,6 +47,10 @@ securityContext:
privileged: false
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
udmRestApi:
# TODO: Stub value currently

4
helmfile/apps/univention-management-stack/values-umc-gateway.yaml.gotmpl
View File

@@ -54,5 +54,9 @@ securityContext:
privileged: false
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
...

4
helmfile/apps/univention-management-stack/values-umc-server.yaml.gotmpl
View File

@@ -90,6 +90,10 @@ securityContext:
privileged: false
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
umcServer:
certPemFile: "/var/secrets/ssl/tls.crt"

1
helmfile/apps/univention-management-stack/values-ums-keycloak-bootstrap.yaml.gotmpl
View File

@@ -60,6 +60,7 @@ containerSecurityContext:
drop:
- "ALL"
readOnlyRootFilesystem: false
privileged: false
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000

2
helmfile/apps/univention-management-stack/values-ums-keycloak-extensions.yaml.gotmpl
View File

@@ -40,6 +40,7 @@ handler:
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
privileged: false
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
@@ -82,6 +83,7 @@ proxy:
- "ALL"
seccompProfile:
type: "RuntimeDefault"
privileged: false
readOnlyRootFilesystem: true
runAsUser: 1000
runAsGroup: 1000

1
helmfile/apps/univention-management-stack/values-ums-keycloak.yaml.gotmpl
View File

@@ -39,6 +39,7 @@ containerSecurityContext:
- "ALL"
seccompProfile:
type: "RuntimeDefault"
privileged: false
readOnlyRootFilesystem: false
runAsUser: 1000
runAsGroup: 1000

1
helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl
View File

@@ -35,6 +35,7 @@ podSecurityContext:
containerSecurityContext:
enabled: true
runAsUser: 1001
runAsGroup: 0
runAsNonRoot: true
privileged: false
readOnlyRootFilesystem: false

13
helmfile/apps/xwiki/values.yaml.gotmpl
View File

@@ -18,9 +18,15 @@ externalDB:
customKeyRef:
enabled: false
securityContext:
enabled: true
fsGroup: 101
containerSecurityContext:
allowPrivilegeEscalation: false
enabled: true
privileged: false
runAsUser: 100
runAsGroup: 101
runAsNonRoot: true
@@ -29,6 +35,7 @@ containerSecurityContext:
- "ALL"
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
customConfigs:
xwiki.cfg:
@@ -158,12 +165,6 @@ replicaCount: {{ .Values.replicas.xwiki }}
resources:
{{ .Values.resources.xwiki | toYaml | nindent 2 }}
securityContext:
enabled: true
fsGroup: 101
seccompProfile:
type: "RuntimeDefault"
service:
externalPort: 80
enabled: true