fix(docs): Add generated security-context.md

2025-12-07 16:01:37 +01:00 · 2024-02-11 21:09:31 +01:00
parent 01599022f1
commit d9e07ff7bd
46 changed files with 479 additions and 109 deletions
--- a/helmfile/apps/univention-management-stack/values-guardian-authorization-api.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-guardian-authorization-api.yaml.gotmpl
@@ -51,5 +51,9 @@ securityContext:
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
+  runAsUser: 1000
+  runAsGroup: 1000
+  runAsNonRoot: true
+  readOnlyRootFilesystem: false

 ...
--- a/helmfile/apps/univention-management-stack/values-guardian-management-api.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-guardian-management-api.yaml.gotmpl
@@ -69,5 +69,9 @@ securityContext:
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
+  runAsUser: 1000
+  runAsGroup: 1000
+  runAsNonRoot: true
+  readOnlyRootFilesystem: false

 ...
--- a/helmfile/apps/univention-management-stack/values-guardian-management-ui.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-guardian-management-ui.yaml.gotmpl
@@ -42,5 +42,9 @@ securityContext:
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
+  runAsUser: 0
+  runAsGroup: 0
+  runAsNonRoot: false
+  readOnlyRootFilesystem: false

 ...
--- a/helmfile/apps/univention-management-stack/values-ldap-notifier.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ldap-notifier.yaml.gotmpl
@@ -22,6 +22,11 @@ securityContext:
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
+  privileged: false
+  readOnlyRootFilesystem: false
+  runAsUser: 0
+  runAsGroup: 0
+  runAsNonRoot: false

 volumes:
  claims:
--- a/helmfile/apps/univention-management-stack/values-ldap-server.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ldap-server.yaml.gotmpl
@@ -72,6 +72,10 @@ securityContext:
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
+  readOnlyRootFilesystem: false
+  runAsUser: 0
+  runAsGroup: 0
+  runAsNonRoot: false

 service:
  type: "ClusterIP"
--- a/helmfile/apps/univention-management-stack/values-notifications-api.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-notifications-api.yaml.gotmpl
@@ -40,5 +40,9 @@ securityContext:
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
+  readOnlyRootFilesystem: false
+  runAsUser: 1000
+  runAsGroup: 1000
+  runAsNonRoot: false

 ...
--- a/helmfile/apps/univention-management-stack/values-open-policy-agent.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-open-policy-agent.yaml.gotmpl
@@ -42,5 +42,9 @@ securityContext:
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
+  readOnlyRootFilesystem: false
+  runAsUser: 1000
+  runAsGroup: 1000
+  runAsNonRoot: true

 ...
--- a/helmfile/apps/univention-management-stack/values-portal-frontend.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-portal-frontend.yaml.gotmpl
@@ -106,5 +106,9 @@ securityContext:
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
+  readOnlyRootFilesystem: false
+  runAsUser: 0
+  runAsGroup: 0
+  runAsNonRoot: false

 ...
--- a/helmfile/apps/univention-management-stack/values-portal-listener.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-portal-listener.yaml.gotmpl
@@ -71,5 +71,9 @@ securityContext:
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
+  readOnlyRootFilesystem: false
+  runAsUser: 0
+  runAsGroup: 0
+  runAsNonRoot: false

 ...
--- a/helmfile/apps/univention-management-stack/values-portal-server.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-portal-server.yaml.gotmpl
@@ -46,5 +46,9 @@ securityContext:
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
+  readOnlyRootFilesystem: false
+  runAsUser: 0
+  runAsGroup: 0
+  runAsNonRoot: false

 ...
--- a/helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl
@@ -24,6 +24,10 @@ dispatcher:
    privileged: false
    seccompProfile:
      type: "RuntimeDefault"
+    runAsUser: 1000
+    runAsGroup: 1000
+    runAsNonRoot: true
+    readOnlyRootFilesystem: false

 events-and-consumer-api:
  image:
@@ -54,6 +58,10 @@ events-and-consumer-api:
    privileged: false
    seccompProfile:
      type: "RuntimeDefault"
+    runAsUser: 1000
+    runAsGroup: 1000
+    runAsNonRoot: true
+    readOnlyRootFilesystem: false

 udm-listener:
  image:
@@ -92,6 +100,10 @@ udm-listener:
    privileged: false
    seccompProfile:
      type: "RuntimeDefault"
+    runAsUser: 0
+    runAsGroup: 0
+    runAsNonRoot: false
+    readOnlyRootFilesystem: false

 nats:
  global:
--- a/helmfile/apps/univention-management-stack/values-selfservice-listener.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-selfservice-listener.yaml.gotmpl
@@ -69,5 +69,9 @@ securityContext:
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
+  readOnlyRootFilesystem: false
+  runAsUser: 0
+  runAsGroup: 0
+  runAsNonRoot: false

 ...
--- a/helmfile/apps/univention-management-stack/values-stack-data-swp.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-stack-data-swp.yaml.gotmpl
@@ -25,6 +25,10 @@ securityContext:
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
+  readOnlyRootFilesystem: false
+  runAsUser: 0
+  runAsGroup: 0
+  runAsNonRoot: false

 stackDataContext:
  ldapBase: "dc=swp-ldap,dc=internal"
--- a/helmfile/apps/univention-management-stack/values-stack-data-ums.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-stack-data-ums.yaml.gotmpl
@@ -25,6 +25,10 @@ securityContext:
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
+  readOnlyRootFilesystem: false
+  runAsUser: 0
+  runAsGroup: 0
+  runAsNonRoot: false

 stackDataContext:
  idpSamlMetadataUrlInternal: null
--- a/helmfile/apps/univention-management-stack/values-store-dav.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-store-dav.yaml.gotmpl
@@ -49,6 +49,10 @@ securityContext:
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
+  readOnlyRootFilesystem: false
+  runAsUser: 0
+  runAsGroup: 0
+  runAsNonRoot: false

 storeDav:
  auth:
--- a/helmfile/apps/univention-management-stack/values-udm-rest-api.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-udm-rest-api.yaml.gotmpl
@@ -47,6 +47,10 @@ securityContext:
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
+  readOnlyRootFilesystem: false
+  runAsUser: 0
+  runAsGroup: 0
+  runAsNonRoot: false

 udmRestApi:
  # TODO: Stub value currently
--- a/helmfile/apps/univention-management-stack/values-umc-gateway.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-umc-gateway.yaml.gotmpl
@@ -54,5 +54,9 @@ securityContext:
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
+  readOnlyRootFilesystem: false
+  runAsUser: 0
+  runAsGroup: 0
+  runAsNonRoot: false

 ...
--- a/helmfile/apps/univention-management-stack/values-umc-server.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-umc-server.yaml.gotmpl
@@ -90,6 +90,10 @@ securityContext:
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
+  readOnlyRootFilesystem: false
+  runAsUser: 0
+  runAsGroup: 0
+  runAsNonRoot: false

 umcServer:
  certPemFile: "/var/secrets/ssl/tls.crt"
--- a/helmfile/apps/univention-management-stack/values-ums-keycloak-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ums-keycloak-bootstrap.yaml.gotmpl
@@ -60,6 +60,7 @@ containerSecurityContext:
    drop:
      - "ALL"
  readOnlyRootFilesystem: false
+  privileged: false
  runAsGroup: 1000
  runAsNonRoot: true
  runAsUser: 1000
--- a/helmfile/apps/univention-management-stack/values-ums-keycloak-extensions.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ums-keycloak-extensions.yaml.gotmpl
@@ -40,6 +40,7 @@ handler:
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
+    privileged: false
    runAsUser: 1000
    runAsGroup: 1000
    runAsNonRoot: true
@@ -82,6 +83,7 @@ proxy:
        - "ALL"
    seccompProfile:
      type: "RuntimeDefault"
+    privileged: false
    readOnlyRootFilesystem: true
    runAsUser: 1000
    runAsGroup: 1000
--- a/helmfile/apps/univention-management-stack/values-ums-keycloak.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ums-keycloak.yaml.gotmpl
@@ -39,6 +39,7 @@ containerSecurityContext:
      - "ALL"
  seccompProfile:
    type: "RuntimeDefault"
+  privileged: false
  readOnlyRootFilesystem: false
  runAsUser: 1000
  runAsGroup: 1000
--- a/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl
@@ -35,6 +35,7 @@ podSecurityContext:
 containerSecurityContext:
  enabled: true
  runAsUser: 1001
+  runAsGroup: 0
  runAsNonRoot: true
  privileged: false
  readOnlyRootFilesystem: false