From e512486e74545449a0e3dca5254ffb44f2d1790f Mon Sep 17 00:00:00 2001 From: Dominik Kaminski Date: Thu, 3 Oct 2024 19:11:10 +0200 Subject: [PATCH] fix(helmfile): Remove NET_RAW capabilities --- .../values-opendesk-customization.yaml.gotmpl | 27 +++++++++++++++++++ .../values-oxconnector.yaml.gotmpl | 1 - 2 files changed, 27 insertions(+), 1 deletion(-) diff --git a/helmfile/apps/nubus/values-opendesk-customization.yaml.gotmpl b/helmfile/apps/nubus/values-opendesk-customization.yaml.gotmpl index 162c50a9..1a9eb0e5 100644 --- a/helmfile/apps/nubus/values-opendesk-customization.yaml.gotmpl +++ b/helmfile/apps/nubus/values-opendesk-customization.yaml.gotmpl @@ -185,6 +185,33 @@ nubusUmcServer: runAsNonRoot: false seLinuxOptions: {{ .Values.seLinuxOptions.umsUmcServer | toYaml | nindent 6 }} + containerSecurityContextSssd: + enabled: true + allowPrivilegeEscalation: true + capabilities: + drop: + - "ALL" + add: + - "DAC_OVERRIDE" + - "SETGID" + - "AUDIT_WRITE" + - "SETUID" + - "CHOWN" + - "SETPCAP" + - "FOWNER" + - "FSETID" + - "KILL" + - "MKNOD" + - "NET_BIND_SERVICE" + - "SYS_CHROOT" + runAsUser: 0 + runAsGroup: 0 + seccompProfile: + type: "RuntimeDefault" + readOnlyRootFilesystem: true + runAsNonRoot: false + seLinuxOptions: + {{ .Values.seLinuxOptions.umsUmcServer | toYaml | nindent 6 }} imagePullSecrets: {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} proxy: diff --git a/helmfile/apps/open-xchange/values-oxconnector.yaml.gotmpl b/helmfile/apps/open-xchange/values-oxconnector.yaml.gotmpl index 69d8263c..4b8da67d 100644 --- a/helmfile/apps/open-xchange/values-oxconnector.yaml.gotmpl +++ b/helmfile/apps/open-xchange/values-oxconnector.yaml.gotmpl @@ -90,7 +90,6 @@ securityContext: - "SETUID" - "SETPCAP" - "NET_BIND_SERVICE" - - "NET_RAW" - "SYS_CHROOT" privileged: false seccompProfile: