fix(docs): Add generated security-context.md

2025-12-06 07:21:36 +01:00 · 2024-02-11 21:09:31 +01:00
parent 01599022f1
commit d9e07ff7bd
46 changed files with 479 additions and 109 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -8,6 +8,7 @@ include:
      - "ci/common/automr.yml"
      - "ci/common/lint.yml"
      - "ci/release-automation/semantic-release.yml"
  - local: "/.gitlab/generate/generate-docs.yml"
  - project: "${PROJECT_PATH_CUSTOM_ENVIRONMENT_CONFIG}"
    file: "gitlab/environments.yaml"
    rules:
@@ -612,7 +613,8 @@ release:
              "CHANGELOG.md",
              "charts/**/README.md",
              "helmfile/environments/default/global.generated.yaml",
-              ".kyverno/kyverno-test.yaml"
+              ".kyverno/kyverno-test.yaml",
              "docs"
            ],
            "message": "chore(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"
          }]
@@ -622,4 +624,5 @@ release:
    - "semantic-release"
  needs:
    - "generate-release-assets"
    - "generate-docs"
 ...
--- a/.gitlab/common/common.yml
+++ b/.gitlab/common/common.yml
@@ -0,0 +1,15 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 variables:
  OPENDESK_CI_CLI_IMAGE: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:2.4.2\
    @sha256:7a866a34b82dddea8867862afaaccb1d1e385854ce344fc71be492800a5b16a6"
  OPENDESK_LINT_IMAGE: "registry.opencode.de/bmi/opendesk/components/platform-development/images/ci-lint:1.0.3\
    @sha256:096e649b985dd8e46e9dadff5f7e9c7a8772bf5a1b3df1bb2b4a887716c2ca85"
 .common:
  cache: {}
  needs: []
  tags:
    - "docker"
 ...
--- a/.gitlab/generate/generate-common.yml
+++ b/.gitlab/generate/generate-common.yml
@@ -0,0 +1,11 @@
 # SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 include:
  - local: "/.gitlab/common/common.yml"
 .generate-common:
  extends: ".common"
  stage: ".post"
  tags: []
 ...
--- a/.gitlab/generate/generate-docs.yml
+++ b/.gitlab/generate/generate-docs.yml
@@ -0,0 +1,20 @@
 # SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 include:
  - local: "/.gitlab/generate/generate-common.yml"
 generate-docs:
  cache:
    - key: "generate-docs-${CI_COMMIT_REF_SLUG}"
      paths:
        - "${CI_PROJECT_DIR}/docs"
      policy: "push"
  extends: ".generate-common"
  image: "${OPENDESK_CI_CLI_IMAGE}"
  rules:
    - if: "$JOB_RELEASE_ENABLED != 'false' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH"
      when: "on_success"
  script:
    - "node /app/src/index.js generate-docs -d ${CI_PROJECT_DIR}"
 ...
--- a/.gitlab/lint/lint-common.yml
+++ b/.gitlab/lint/lint-common.yml
@@ -1,17 +1,11 @@
 # SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
-variables:
+include:
-  OPENDESK_CI_CLI_IMAGE: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:2.3.1\
+  - local: "/.gitlab/common/common.yml"
    @sha256:7bd1c03b1e443000d7016e37b7a085c400ee1873ad5a62c2e3181ea307b5133d"
  OPENDESK_LINT_IMAGE: "registry.opencode.de/bmi/opendesk/components/platform-development/images/ci-lint:1.0.3\
    @sha256:096e649b985dd8e46e9dadff5f7e9c7a8772bf5a1b3df1bb2b4a887716c2ca85"
 .lint-common:
-  cache: {}
+  extends: ".common"
  needs: []
  stage: "lint"
  tags:
    - "docker"
 ...
--- a/docs/security-context.md
+++ b/docs/security-context.md
@@ -0,0 +1,227 @@
 <!--
 SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 -->
 <h1>Kubernetes Security Context</h1>
 * [Container Security Context](#container-security-context)
  * [allowPrivilegeEscalation](#allowprivilegeescalation)
  * [capabilities](#capabilities)
  * [privileged](#privileged)
  * [runAsUser](#runasuser)
  * [runAsGroup](#runasgroup)
  * [seccompProfile](#seccompprofile)
  * [readOnlyRootFilesystem](#readonlyrootfilesystem)
  * [runAsNonRoot](#runasnonroot)
 * [Status quo](#status-quo)
 # Container Security Context
 The containerSecurityContext is the most important security-related section because it has the highest precedence and restricts the container to its minimal privileges.
 ## allowPrivilegeEscalation
 Privilege escalation (such as via set-user-ID or set-group-ID file mode) should not be allowed (Linux only) at any time.
 ```yaml
 containerSecurityContext:
  allowPrivilegeEscalation: false
 ```
 ## capabilities
 Containers must drop ALL capabilities, and are only permitted to add back the `NET_BIND_SERVICE` capability (Linux only).
 **Optimal:**
 ```yaml
 containerSecurityContext:
  capabilities:
    drop:
      - "ALL"
 ```
 **Allowed:**
 ```yaml
 containerSecurityContext:
  capabilities:
    drop:
      - "ALL"
    add:
      - "NET_BIND_SERVICE"
 ```
 ## privileged
 Privileged Pods disable most security mechanisms and must be disallowed.
 ```yaml
 containerSecurityContext:
  privileged: false
 ```
 ## runAsUser
 Containers should set a user id >= 1000 and never use 0 (root) as user.
 ```yaml
 containerSecurityContext:
  runAsUser: 1000
 ```
 ## runAsGroup
 Containers should set a group id >= 1000 and never use 0 (root) as user.
 ```yaml
 containerSecurityContext:
  runAsGroup: 1000
 ```
 ## seccompProfile
 Seccomp profile must be explicitly set to one of the allowed values. An unconfined profile and the complete absence of the profile are prohibited.
 ```yaml
 containerSecurityContext:
  seccompProfile:
    type: "RuntimeDefault"
 ```
 or
 ```yaml
 containerSecurityContext:
  seccompProfile:
    type: "Localhost"
 ```
 ## readOnlyRootFilesystem
 Containers should have an immutable file systems, so that attackers could not modify application code or download malicious code.
 ```yaml
 containerSecurityContext:
  readOnlyRootFilesystem: true
 ```
 ## runAsNonRoot
 Containers must be required to run as non-root users.
 ```yaml
 containerSecurityContext:
  runAsNonRoot: true
 ```
 # Status quo
 openDesk aims to achieve that all security relevant settings are explicitly templated and comply with security recommendations.
 The rendered manifests are also validated against Kyverno [policies](/.kyverno/policies) in CI to ensure that the provided values inside openDesk are also properly templated by the given Helm charts.
 This list gives you an overview of templated security settings and if they comply with security standards:
 - **yes**: Value is set to `true`
 - **no**: Value is set to `false`
 - **n/a**: No explicitly templated in openDesk and default is used.
 | process | status | allowPrivilegeEscalation | privileged | readOnlyRootFilesystem | runAsNonRoot | runAsUser | runAsGroup | seccompProfile | capabilities |
 | ------- | ------ | ------------------------ | ---------- | ---------------------- | ------------ | --------- | ---------- | -------------- | ------------ |
 | **collabora**/collabora-online | :x: | yes | no | no | yes | 100 | 101 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT","MKNOD"] |
 | **cryptpad**/cryptpad | :x: | no | no | no | yes | 4001 | 4001 | yes | yes |
 | **element**/matrix-neoboard-widget | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
 | **element**/matrix-neochoice-widget | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
 | **element**/matrix-neodatefix-bot | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
 | **element**/matrix-neodatefix-bot-bootstrap | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
 | **element**/matrix-neodatefix-widget | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
 | **element**/opendesk-element | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
 | **element**/opendesk-matrix-user-verification-service | :x: | no | no | no | no | 0 | 0 | yes | yes |
 | **element**/opendesk-matrix-user-verification-service-bootstrap | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
 | **element**/opendesk-synapse | :white_check_mark: | no | no | yes | yes | 10991 | 10991 | yes | yes |
 | **element**/opendesk-synapse-web | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
 | **element**/opendesk-well-known | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
 | **intercom-service**/intercom-service | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
 | **jitsi**/jitsi | :white_check_mark: | no | no | yes | yes | 1993 | 1993 | yes | yes |
 | **jitsi**/jitsi/jitsi/jibri | :x: | n/a | n/a | n/a | n/a | n/a | n/a | n/a | no ["SYS_ADMIN"] |
 | **jitsi**/jitsi/jitsi/jicofo | :x: | no | no | no | no | 0 | 0 | yes | no |
 | **jitsi**/jitsi/jitsi/jvb | :x: | no | no | no | no | 0 | 0 | yes | no |
 | **jitsi**/jitsi/jitsi/prosody | :x: | no | no | no | no | 0 | 0 | yes | no |
 | **jitsi**/jitsi/jitsi/web | :x: | no | no | no | no | 0 | 0 | yes | no |
 | **jitsi**/jitsi/patchJVB | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
 | **nextcloud**/opendesk-nextcloud-management | :x: | no | no | no | yes | 65532 | 65532 | yes | yes |
 | **nextcloud**/opendesk-nextcloud/apache2 | :white_check_mark: | no | no | yes | yes | 65532 | 65532 | yes | yes |
 | **nextcloud**/opendesk-nextcloud/exporter | :white_check_mark: | no | no | yes | yes | 65532 | 65532 | yes | yes |
 | **nextcloud**/opendesk-nextcloud/php | :white_check_mark: | no | no | yes | yes | 65532 | 65532 | yes | yes |
 | **open-xchange**/open-xchange/appsuite/core-documentconverter | :x: | no | no | no | yes | 987 | 1000 | yes | yes |
 | **open-xchange**/open-xchange/appsuite/core-guidedtours | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
 | **open-xchange**/open-xchange/appsuite/core-imageconverter | :x: | no | no | no | yes | 987 | 1000 | yes | yes |
 | **open-xchange**/open-xchange/appsuite/core-mw/gotenberg | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
 | **open-xchange**/open-xchange/appsuite/core-ui | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
 | **open-xchange**/open-xchange/appsuite/core-ui-middleware | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
 | **open-xchange**/open-xchange/appsuite/core-user-guide | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
 | **open-xchange**/open-xchange/appsuite/guard-ui | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
 | **open-xchange**/open-xchange/nextcloud-integration-ui | :x: | no | no | no | yes | 1000 | 1000 | yes | yes |
 | **open-xchange**/open-xchange/public-sector-ui | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
 | **openproject**/openproject | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
 | **openproject-bootstrap**/opendesk-openproject-bootstrap | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
 | **provisioning**/ox-connector | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
 | **services**/clamav | :x: | no | no | yes | no | 0 | 0 | yes | no |
 | **services**/clamav-simple | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
 | **services**/clamav/clamd | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
 | **services**/clamav/freshclam | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
 | **services**/clamav/icap | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
 | **services**/clamav/milter | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
 | **services**/mariadb | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
 | **services**/memcached | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
 | **services**/minio | :x: | no | no | no | yes | 1000 | 0 | yes | yes |
 | **services**/postfix | :x: | yes | yes | no | no | 0 | 0 | yes | no |
 | **services**/postgresql | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
 | **services**/redis/master | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
 | **univention-management-stack**/opendesk-keycloak-bootstrap | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
 | **univention-management-stack**/ums-guardian-authorization-api | :x: | no | no | no | yes | 1000 | 1000 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
 | **univention-management-stack**/ums-guardian-management-api | :x: | no | no | no | yes | 1000 | 1000 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
 | **univention-management-stack**/ums-guardian-management-ui | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
 | **univention-management-stack**/ums-keycloak | :x: | no | no | no | yes | 1000 | 1000 | yes | yes |
 | **univention-management-stack**/ums-keycloak-bootstrap | :x: | no | no | no | yes | 1000 | 1000 | yes | yes |
 | **univention-management-stack**/ums-keycloak-extensions/handler | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
 | **univention-management-stack**/ums-keycloak-extensions/proxy | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
 | **univention-management-stack**/ums-ldap-notifier | :x: | no | no | no | no | 0 | 0 | yes | yes |
 | **univention-management-stack**/ums-ldap-server | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
 | **univention-management-stack**/ums-notifications-api | :x: | no | no | no | no | 1000 | 1000 | yes | yes |
 | **univention-management-stack**/ums-open-policy-agent | :x: | no | no | no | yes | 1000 | 1000 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
 | **univention-management-stack**/ums-portal-frontend | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
 | **univention-management-stack**/ums-portal-listener | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
 | **univention-management-stack**/ums-portal-server | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
 | **univention-management-stack**/ums-provisioning/dispatcher | :x: | no | no | no | yes | 1000 | 1000 | yes | yes |
 | **univention-management-stack**/ums-provisioning/events-and-consumer-api | :x: | no | no | no | yes | 1000 | 1000 | yes | yes |
 | **univention-management-stack**/ums-provisioning/udm-listener | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
 | **univention-management-stack**/ums-selfservice-listener | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
 | **univention-management-stack**/ums-stack-data-swp | :x: | no | no | no | no | 0 | 0 | yes | yes |
 | **univention-management-stack**/ums-stack-data-ums | :x: | no | no | no | no | 0 | 0 | yes | yes |
 | **univention-management-stack**/ums-stack-gateway | :x: | no | no | no | yes | 1001 | 1001 | yes | yes |
 | **univention-management-stack**/ums-store-dav | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
 | **univention-management-stack**/ums-udm-rest-api | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
 | **univention-management-stack**/ums-umc-gateway | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
 | **univention-management-stack**/ums-umc-server | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
 | **xwiki**/xwiki | :x: | no | no | no | yes | 100 | 101 | yes | yes |
 This file is auto-generated by [openDesk CI CLI](https://gitlab.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli)
--- a/docs/security.md
+++ b/docs/security.md
@@ -29,78 +29,7 @@ All charts except the ones mentioned below are verifiable:
 This list gives you an overview of default security settings and if they comply with security standards:
-
+⟶ Visit our generated detailed [Security Context](./security-context.md) overview.
 | Component                   | Process                       |         =          | allowPrivilegeEscalation (`false`) |                                                           capabilities (`drop: ALL`)                                                           | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup |
 |-----------------------------|-------------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
 | ClamAV                      | clamd                         | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
 |                             | freshclam                     | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
 |                             | icap                          | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
 |                             | milter                        | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
 | Collabora                   | collabora                     |        :x:         |                :x:                 | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) |        :white_check_mark:         |               :x:               |  :white_check_mark:   |    100    |    101     |   100   |
 | CryptPad                    | cryptpad                      |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |   4001    |    4001    |  4001   |
 | Dovecot                     | dovecot                       |        :x:         |         :white_check_mark:         |                          :x: (`CHOWN`, `DAC_OVERRIDE`, `KILL`, `NET_BIND_SERVICE`, `SETGID`, `SETUID`, `SYS_CHROOT`)                           |        :white_check_mark:         |       :white_check_mark:        |          :x:          |     -     |     -      |  1000   |
 | Element                     | element                       | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   |
 |                             | synapse                       | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   10991   |     -      |  10991  |
 |                             | synapseWeb                    | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   |
 |                             | wellKnown                     | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   |
 | IntercomService             | intercom-service              | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |  1000   |
 | Jitsi                       | jibri                         |        :x:         |                :x:                 |                                                               :x: (`SYS_ADMIN`)                                                                |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | jicofo                        |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | jitsiKeycloakAdapter          | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1993    |    1993    |    -    |
 |                             | jvb                           |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | prosody                       |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | web                           |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 | MariaDB                     | mariadb                       | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
 | Memcached                   | memcached                     | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |     -      |  1001   |
 | Minio                       | minio                         | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |  1000   |
 | Nextcloud                   | opendesk-nextcloud-apache2    | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   65532   |   65532    |  65532  |
 |                             | opendesk-nextcloud-cron       | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   65532   |   65532    |  65532  |
 |                             | opendesk-nextcloud-exporter   | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   65532   |   65532    |  65532  |
 |                             | opendesk-nextcloud-management |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |   65532   |   65532    |  65532  |
 |                             | opendesk-nextcloud-php        | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   65532   |   65532    |  65532  |
 | Open-Xchange                | core-documentconverter        |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |    987    |    1000    |    -    |
 |                             | core-guidedtours              | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
 |                             | core-imageconverter           |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |    987    |    1000    |    -    |
 |                             | core-mw-default               |        :x:         |                :x:                 |                                                                      :x:                                                                       |                :x:                |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | core-ui                       | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
 |                             | core-ui-middleware            | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
 |                             | core-ui-middleware-updater    | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
 |                             | core-user-guide               | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
 |                             | gotenberg                     | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
 |                             | guard-ui                      | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
 |                             | nextlcoud-integration-ui      | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
 |                             | public-sector-ui              | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
 | OpenProject                 | openproject                   | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |  1000   |
 |                             | opendeskOpenprojectBootstrap  | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |  1000   |
 | Postfix                     | postfix                       |        :x:         |                :x:                 |                                                                      :x:                                                                       |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |   101   |
 | PostgreSQL                  | postgresql                    | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
 | Redis                       | redis                         |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |     0      |  1001   |
 | Univention Management Stack | guardian-authorization-api    |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | guardian-management-api       |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | guardian-management-ui        |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | keycloak                      |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |   1000    |    1000    |  1000   |
 |                             | keycloak-bootstrap            |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |   1000    |    1000    |  1000   |
 |                             | keycloak-extension-handler    | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
 |                             | keycloak-extension-proxy      | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
 |                             | ldap-notifier                 |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | ldap-server                   |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | notifications-api             |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | opendesk-keycloak-bootstrap   | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |  1000   |
 |                             | open-policy-agent             |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | portal-frontend               |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | portal-listener               |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | portal-server                 |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | dispatcher                    |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | events-and-consumer-api       |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | udm-listener                  |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | selfservice-listener          |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | stack-gateway                 | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
 |                             | store-dav                     |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | udm-rest-api                  |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | umc-gateway                   |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | umc-server                    |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 | XWiki                       | xwiki                         |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |    100    |    101     |   101   |
 |                             | xwiki initContainers          |        :x:         |                :x:                 |                                                                      :x:                                                                       |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |   101   |
 # NetworkPolicies
--- a/helmfile/apps/cryptpad/values.yaml.gotmpl
+++ b/helmfile/apps/cryptpad/values.yaml.gotmpl
@@ -63,9 +63,10 @@ securityContext:
  capabilities:
    drop:
      - "ALL"
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
-  # readOnlyRootFilesystem: true
+  readOnlyRootFilesystem: false
  runAsNonRoot: true
  runAsUser: 4001
  runAsGroup: 4001
--- a/helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl
@@ -8,11 +8,10 @@ containerSecurityContext:
      - "ALL"
  enabled: true
  privileged: false
-  # TODO: the service can't run with read only filesystem or as non-root
+  readOnlyRootFilesystem: false
-  # readOnlyRootFilesystem: true
+  runAsGroup: 0
-  # runAsGroup: 101
+  runAsNonRoot: false
-  # runAsNonRoot: true
+  runAsUser: 0
  # runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
--- a/helmfile/apps/element/values-synapse.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse.yaml.gotmpl
@@ -76,6 +76,7 @@ containerSecurityContext:
  readOnlyRootFilesystem: true
  runAsNonRoot: true
  runAsUser: 10991
  runAsGroup: 10991
  seccompProfile:
    type: "RuntimeDefault"
--- a/helmfile/apps/intercom-service/values.yaml.gotmpl
+++ b/helmfile/apps/intercom-service/values.yaml.gotmpl
@@ -7,6 +7,7 @@ containerSecurityContext:
    drop:
      - "ALL"
  enabled: true
  privileged: false
  runAsUser: 1000
  runAsGroup: 1000
  seccompProfile:
--- a/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
+++ b/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
@@ -14,6 +14,7 @@ containerSecurityContext:
  allowPrivilegeEscalation: false
  enabled: true
  readOnlyRootFilesystem: true
  privileged: false
  capabilities:
    drop:
      - "ALL"
@@ -63,6 +64,14 @@ jitsi:
    resources:
      {{ .Values.resources.jitsi | toYaml | nindent 6 }}
    securityContext:
      allowPrivilegeEscalation: false
      capabilities: {}
      enabled: true
      privileged: false
      readOnlyRootFilesystem: false
      runAsGroup: 0
      runAsNonRoot: false
      runAsUser: 0
      seccompProfile:
        type: "RuntimeDefault"
  prosody:
@@ -102,6 +111,14 @@ jitsi:
      size: {{ .Values.persistence.size.prosody | quote }}
      storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
    securityContext:
      allowPrivilegeEscalation: false
      capabilities: {}
      enabled: true
      privileged: false
      readOnlyRootFilesystem: false
      runAsGroup: 0
      runAsNonRoot: false
      runAsUser: 0
      seccompProfile:
        type: "RuntimeDefault"
  jicofo:
@@ -115,6 +132,14 @@ jitsi:
    resources:
      {{ .Values.resources.jicofo | toYaml | nindent 6 }}
    securityContext:
      allowPrivilegeEscalation: false
      capabilities: {}
      enabled: true
      privileged: false
      readOnlyRootFilesystem: false
      runAsGroup: 0
      runAsNonRoot: false
      runAsUser: 0
      seccompProfile:
        type: "RuntimeDefault"
  jvb:
@@ -129,6 +154,14 @@ jitsi:
    service:
      type: {{ .Values.cluster.service.type | quote }}
    securityContext:
      allowPrivilegeEscalation: false
      capabilities: {}
      enabled: true
      privileged: false
      readOnlyRootFilesystem: false
      runAsGroup: 0
      runAsNonRoot: false
      runAsUser: 0
      seccompProfile:
        type: "RuntimeDefault"
  jibri:
@@ -143,8 +176,9 @@ jitsi:
    resources:
      {{ .Values.resources.jibri | toYaml | nindent 6 }}
    securityContext:
-      seccompProfile:
+      # Chart does not allow to template more
-        type: "RuntimeDefault"
+      capabilities:
        add: ["SYS_ADMIN"]
  imagePullSecrets:
  {{- range .Values.global.imagePullSecrets }}
    - name: {{ . | quote }}
@@ -156,8 +190,15 @@ patchJVB:
    loadbalancerStatusField: {{ .Values.cluster.networking.loadBalancerStatusField | quote }}
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    enabled: true
    privileged: false
    readOnlyRootFilesystem: true
    runAsUser: 1001
    runAsGroup: 1001
    runAsNonRoot: true
    seccompProfile:
      type: "RuntimeDefault"
  image:
--- a/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
@@ -80,6 +80,7 @@ containerSecurityContext:
    drop:
      - "ALL"
  enabled: true
  privileged: false
  runAsUser: 65532
  runAsGroup: 65532
  seccompProfile:
--- a/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
@@ -18,6 +18,7 @@ exporter:
      drop:
        - "ALL"
    enabled: true
    privileged: false
    runAsUser: 65532
    runAsGroup: 65532
    seccompProfile:
@@ -69,6 +70,7 @@ php:
      drop:
        - "ALL"
    enabled: true
    privileged: false
    runAsUser: 65532
    runAsGroup: 65532
    seccompProfile:
@@ -107,6 +109,7 @@ apache2:
      drop:
        - "ALL"
    enabled: true
    privileged: false
    runAsUser: 65532
    runAsGroup: 65532
    seccompProfile:
--- a/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
@@ -32,10 +32,12 @@ nextcloud-integration-ui:
    capabilities:
      drop:
        - "ALL"
-    readOnlyRootFilesystem: true
+    privileged: false
    readOnlyRootFilesystem: false
    runAsGroup: 1000
    runAsNonRoot: true
    runAsUser: 1000
    privileged: false
    seccompProfile:
      type: "RuntimeDefault"
@@ -56,10 +58,12 @@ public-sector-ui:
    capabilities:
      drop:
        - "ALL"
    privileged: false
    readOnlyRootFilesystem: true
    runAsGroup: 1000
    runAsNonRoot: true
    runAsUser: 1000
    privileged: false
    seccompProfile:
      type: "RuntimeDefault"
@@ -121,6 +125,8 @@ appsuite:
        readOnlyRootFilesystem: true
        runAsNonRoot: true
        runAsUser: 1001
        runAsGroup: 1001
        privileged: false
        seccompProfile:
          type: "RuntimeDefault"
    hooks:
@@ -344,6 +350,7 @@ appsuite:
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 1000
      privileged: false
      seccompProfile:
        type: "RuntimeDefault"
@@ -384,6 +391,7 @@ appsuite:
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 1000
      privileged: false
      seccompProfile:
        type: "RuntimeDefault"
@@ -400,18 +408,17 @@ appsuite:
      registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeDocumentConverter.registry | quote }}
      repository: {{ .Values.images.openxchangeDocumentConverter.repository | quote }}
      tag: {{ .Values.images.openxchangeDocumentConverter.tag | quote }}
-    podSecurityContext:
+    resources:
      {{- .Values.resources.openxchangeCoreDocumentConverter | toYaml | nindent 6 }}
    securityContext:
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 987
      seccompProfile:
        type: "RuntimeDefault"
-    resources:
+      readOnlyRootFilesystem: false
      {{- .Values.resources.openxchangeCoreDocumentConverter | toYaml | nindent 6 }}
    securityContext:
      # missing:
      # readOnlyRootFilesystem: true
      allowPrivilegeEscalation: false
      privileged: false
      capabilities:
        drop:
          - "ALL"
@@ -455,6 +462,7 @@ appsuite:
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 1000
      privileged: false
      seccompProfile:
        type: "RuntimeDefault"
@@ -470,18 +478,17 @@ appsuite:
          endpoint: "."
          accessKey: "."
          secretKey: "."
-    podSecurityContext:
+    resources:
      {{- .Values.resources.openxchangeCoreImageConverter | toYaml | nindent 6 }}
    securityContext:
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 987
      seccompProfile:
        type: "RuntimeDefault"
-    resources:
+      readOnlyRootFilesystem: false
      {{- .Values.resources.openxchangeCoreImageConverter | toYaml | nindent 6 }}
    securityContext:
      # missing:
      # readOnlyRootFilesystem: true
      allowPrivilegeEscalation: false
      privileged: false
      capabilities:
        drop:
          - "ALL"
@@ -509,6 +516,7 @@ appsuite:
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 1000
      privileged: false
      seccompProfile:
        type: "RuntimeDefault"
@@ -537,6 +545,7 @@ appsuite:
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 1000
      privileged: false
      seccompProfile:
        type: "RuntimeDefault"
 ...
--- a/helmfile/apps/openproject/values.yaml.gotmpl
+++ b/helmfile/apps/openproject/values.yaml.gotmpl
@@ -9,6 +9,7 @@ global:
 containerSecurityContext:
  enabled: true
  privileged: false
  runAsUser: 1000
  runAsGroup: 1000
  allowPrivilegeEscalation: false
--- a/helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl
+++ b/helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl
@@ -79,6 +79,10 @@ securityContext:
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
  readOnlyRootFilesystem: false
 serviceAccount:
  create: true
--- a/helmfile/apps/services/values-clamav-distributed.yaml.gotmpl
+++ b/helmfile/apps/services/values-clamav-distributed.yaml.gotmpl
@@ -8,6 +8,7 @@ clamd:
      drop:
        - "ALL"
    enabled: true
    privileged: false
    runAsUser: 100
    runAsGroup: 101
    seccompProfile:
@@ -31,6 +32,14 @@ containerSecurityContext:
  allowPrivilegeEscalation: false
  enabled: true
  readOnlyRootFilesystem: true
  runAsUser: 0
  runAsGroup: 0
  seccompProfile:
    type: "RuntimeDefault"
  runAsNonRoot: false
  capabilities:
    drop: []
  privileged: false
 freshclam:
  containerSecurityContext:
@@ -39,6 +48,7 @@ freshclam:
      drop:
        - "ALL"
    enabled: true
    privileged: false
    runAsUser: 100
    runAsGroup: 101
    seccompProfile:
@@ -71,6 +81,7 @@ icap:
    enabled: true
    runAsUser: 100
    runAsGroup: 101
    privileged: false
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
@@ -97,6 +108,7 @@ milter:
    enabled: true
    runAsUser: 100
    runAsGroup: 101
    privileged: false
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
--- a/helmfile/apps/services/values-clamav-simple.yaml.gotmpl
+++ b/helmfile/apps/services/values-clamav-simple.yaml.gotmpl
@@ -7,10 +7,13 @@ containerSecurityContext:
    drop:
      - "ALL"
  enabled: true
  privileged: false
  runAsUser: 100
  runAsGroup: 101
  seccompProfile:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: true
  runAsNonRoot: true
 global:
  imagePullSecrets:
--- a/helmfile/apps/services/values-memcached.yaml.gotmpl
+++ b/helmfile/apps/services/values-memcached.yaml.gotmpl
@@ -7,7 +7,9 @@ containerSecurityContext:
    drop:
      - "ALL"
  enabled: true
  privileged: false
  runAsUser: 1001
  runAsGroup: 1001
  runAsNonRoot: true
  seccompProfile:
    type: "RuntimeDefault"
--- a/helmfile/apps/services/values-minio.yaml.gotmpl
+++ b/helmfile/apps/services/values-minio.yaml.gotmpl
@@ -24,7 +24,9 @@ containerSecurityContext:
      - "ALL"
  privileged: false
  runAsUser: 1000
  runAsGroup: 0
  runAsNonRoot: true
  readOnlyRootFilesystem: false
  seccompProfile:
    type: "RuntimeDefault"
--- a/helmfile/apps/services/values-postfix.yaml.gotmpl
+++ b/helmfile/apps/services/values-postfix.yaml.gotmpl
@@ -14,6 +14,9 @@ containerSecurityContext:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: false
  runAsNonRoot: false
  runAsUser: 0
  runAsGroup: 0
  privileged: true
 global:
  imagePullSecrets:
--- a/helmfile/apps/services/values-redis.yaml.gotmpl
+++ b/helmfile/apps/services/values-redis.yaml.gotmpl
@@ -19,6 +19,7 @@ image:
 master:
  containerSecurityContext:
    privileged: false
    readOnlyRootFilesystem: true
    runAsUser: 1001
    runAsGroup: 1001
--- a/helmfile/apps/univention-management-stack/values-guardian-authorization-api.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-guardian-authorization-api.yaml.gotmpl
@@ -51,5 +51,9 @@ securityContext:
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
  runAsUser: 1000
  runAsGroup: 1000
  runAsNonRoot: true
  readOnlyRootFilesystem: false
 ...
--- a/helmfile/apps/univention-management-stack/values-guardian-management-api.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-guardian-management-api.yaml.gotmpl
@@ -69,5 +69,9 @@ securityContext:
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
  runAsUser: 1000
  runAsGroup: 1000
  runAsNonRoot: true
  readOnlyRootFilesystem: false
 ...
--- a/helmfile/apps/univention-management-stack/values-guardian-management-ui.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-guardian-management-ui.yaml.gotmpl
@@ -42,5 +42,9 @@ securityContext:
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
  readOnlyRootFilesystem: false
 ...
--- a/helmfile/apps/univention-management-stack/values-ldap-notifier.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ldap-notifier.yaml.gotmpl
@@ -22,6 +22,11 @@ securityContext:
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
  privileged: false
  readOnlyRootFilesystem: false
  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
 volumes:
  claims:
--- a/helmfile/apps/univention-management-stack/values-ldap-server.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ldap-server.yaml.gotmpl
@@ -72,6 +72,10 @@ securityContext:
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: false
  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
 service:
  type: "ClusterIP"
--- a/helmfile/apps/univention-management-stack/values-notifications-api.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-notifications-api.yaml.gotmpl
@@ -40,5 +40,9 @@ securityContext:
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: false
  runAsUser: 1000
  runAsGroup: 1000
  runAsNonRoot: false
 ...
--- a/helmfile/apps/univention-management-stack/values-open-policy-agent.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-open-policy-agent.yaml.gotmpl
@@ -42,5 +42,9 @@ securityContext:
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: false
  runAsUser: 1000
  runAsGroup: 1000
  runAsNonRoot: true
 ...
--- a/helmfile/apps/univention-management-stack/values-portal-frontend.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-portal-frontend.yaml.gotmpl
@@ -106,5 +106,9 @@ securityContext:
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: false
  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
 ...
--- a/helmfile/apps/univention-management-stack/values-portal-listener.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-portal-listener.yaml.gotmpl
@@ -71,5 +71,9 @@ securityContext:
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: false
  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
 ...
--- a/helmfile/apps/univention-management-stack/values-portal-server.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-portal-server.yaml.gotmpl
@@ -46,5 +46,9 @@ securityContext:
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: false
  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
 ...
--- a/helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl
@@ -24,6 +24,10 @@ dispatcher:
    privileged: false
    seccompProfile:
      type: "RuntimeDefault"
    runAsUser: 1000
    runAsGroup: 1000
    runAsNonRoot: true
    readOnlyRootFilesystem: false
 events-and-consumer-api:
  image:
@@ -54,6 +58,10 @@ events-and-consumer-api:
    privileged: false
    seccompProfile:
      type: "RuntimeDefault"
    runAsUser: 1000
    runAsGroup: 1000
    runAsNonRoot: true
    readOnlyRootFilesystem: false
 udm-listener:
  image:
@@ -92,6 +100,10 @@ udm-listener:
    privileged: false
    seccompProfile:
      type: "RuntimeDefault"
    runAsUser: 0
    runAsGroup: 0
    runAsNonRoot: false
    readOnlyRootFilesystem: false
 nats:
  global:
--- a/helmfile/apps/univention-management-stack/values-selfservice-listener.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-selfservice-listener.yaml.gotmpl
@@ -69,5 +69,9 @@ securityContext:
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: false
  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
 ...
--- a/helmfile/apps/univention-management-stack/values-stack-data-swp.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-stack-data-swp.yaml.gotmpl
@@ -25,6 +25,10 @@ securityContext:
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: false
  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
 stackDataContext:
  ldapBase: "dc=swp-ldap,dc=internal"
--- a/helmfile/apps/univention-management-stack/values-stack-data-ums.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-stack-data-ums.yaml.gotmpl
@@ -25,6 +25,10 @@ securityContext:
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: false
  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
 stackDataContext:
  idpSamlMetadataUrlInternal: null
--- a/helmfile/apps/univention-management-stack/values-store-dav.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-store-dav.yaml.gotmpl
@@ -49,6 +49,10 @@ securityContext:
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: false
  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
 storeDav:
  auth:
--- a/helmfile/apps/univention-management-stack/values-udm-rest-api.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-udm-rest-api.yaml.gotmpl
@@ -47,6 +47,10 @@ securityContext:
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: false
  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
 udmRestApi:
  # TODO: Stub value currently
--- a/helmfile/apps/univention-management-stack/values-umc-gateway.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-umc-gateway.yaml.gotmpl
@@ -54,5 +54,9 @@ securityContext:
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: false
  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
 ...
--- a/helmfile/apps/univention-management-stack/values-umc-server.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-umc-server.yaml.gotmpl
@@ -90,6 +90,10 @@ securityContext:
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: false
  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
 umcServer:
  certPemFile: "/var/secrets/ssl/tls.crt"
--- a/helmfile/apps/univention-management-stack/values-ums-keycloak-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ums-keycloak-bootstrap.yaml.gotmpl
@@ -60,6 +60,7 @@ containerSecurityContext:
    drop:
      - "ALL"
  readOnlyRootFilesystem: false
  privileged: false
  runAsGroup: 1000
  runAsNonRoot: true
  runAsUser: 1000
--- a/helmfile/apps/univention-management-stack/values-ums-keycloak-extensions.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ums-keycloak-extensions.yaml.gotmpl
@@ -40,6 +40,7 @@ handler:
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    privileged: false
    runAsUser: 1000
    runAsGroup: 1000
    runAsNonRoot: true
@@ -82,6 +83,7 @@ proxy:
        - "ALL"
    seccompProfile:
      type: "RuntimeDefault"
    privileged: false
    readOnlyRootFilesystem: true
    runAsUser: 1000
    runAsGroup: 1000
--- a/helmfile/apps/univention-management-stack/values-ums-keycloak.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ums-keycloak.yaml.gotmpl
@@ -39,6 +39,7 @@ containerSecurityContext:
      - "ALL"
  seccompProfile:
    type: "RuntimeDefault"
  privileged: false
  readOnlyRootFilesystem: false
  runAsUser: 1000
  runAsGroup: 1000
--- a/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl
@@ -35,6 +35,7 @@ podSecurityContext:
 containerSecurityContext:
  enabled: true
  runAsUser: 1001
  runAsGroup: 0
  runAsNonRoot: true
  privileged: false
  readOnlyRootFilesystem: false
--- a/helmfile/apps/xwiki/values.yaml.gotmpl
+++ b/helmfile/apps/xwiki/values.yaml.gotmpl
@@ -18,9 +18,15 @@ externalDB:
  customKeyRef:
    enabled: false
 securityContext:
  enabled: true
  fsGroup: 101
 containerSecurityContext:
  allowPrivilegeEscalation: false
  enabled: true
  privileged: false
  runAsUser: 100
  runAsGroup: 101
  runAsNonRoot: true
@@ -29,6 +35,7 @@ containerSecurityContext:
      - "ALL"
  seccompProfile:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: false
 customConfigs:
  xwiki.cfg:
@@ -158,12 +165,6 @@ replicaCount: {{ .Values.replicas.xwiki }}
 resources:
  {{ .Values.resources.xwiki | toYaml | nindent 2 }}
 securityContext:
  enabled: true
  fsGroup: 101
  seccompProfile:
    type: "RuntimeDefault"
 service:
  externalPort: 80
  enabled: true