fix(ci): Add Kyverno CI Lint

.gitignore

@@ -6,5 +6,8 @@
 
 # Ignore changes to sample environments
 helmfile/environments/dev/values.yaml.gotmpl
-helmfile/environments/test/values.yaml.gotmpl
 helmfile/environments/prod/values.yaml.gotmpl
+
+# Ignore in CI generated files
+.kyverno/opendesk.yaml
+.kyverno/kyverno-test.yaml

.gitlab-ci.yml

@@ -12,6 +12,16 @@ include:
     file: "gitlab/environments.yaml"
     rules:
       - if: "$INCLUDE_ENVIRONMENTS_ENABLED != 'false'"
+  - local: "/.gitlab/lint/lint-opendesk.yml"
+    rules:
+      - if: "$JOB_OPENDESK_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event'"
+        when: "never"
+      - when: "always"
+  - local: "/.gitlab/lint/lint-kyverno.yml"
+    rules:
+      - if: "$JOB_KYVERNO_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event'"
+        when: "never"
+      - when: "always"
 
 stages:
   - ".pre"
@@ -137,8 +147,8 @@ variables:
   cache: {}
   dependencies: []
   extends: ".environments"
-  image: "external-registry.souvap-univention.de/registry-souvap-univention-de/souvap/tooling/images/helm\
+  image: "registry.opencode.de/bmi/opendesk/components/platform-development/images/helm:1.0.1\
-          @sha256:5a53455af45f4af5c97a01ee2dd5f9ef683f365b59f1ab0102505bc0fd37f6c5"
+          @sha256:d38f41b88374e055332860018f2936db8807b763caf6089735db0484cbb2842a"
   script:
     - "cd ${CI_PROJECT_DIR}/helmfile/apps/${COMPONENT}"
     # MASTER_PASSWORD_WEB_VAR as precedence for MASTER_PASSWORD
@@ -517,22 +527,6 @@ generate-release-assets:
   variables:
     ASSET_GENERATOR_REPO_PATH: "bmi/opendesk/tooling/opendesk-asset-generator"
 
-opendesk-linter:
-  cache: {}
-  image: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:1.0.1"
-  needs: []
-  rules:
-    - if: "$JOB_OPENDESK_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event'"
-      when: "never"
-    - when: "always"
-  script:
-    - "node /app/src/index.js sort-images ${CI_PROJECT_DIR}/helmfile/environments/default/images.yaml"
-    - "node /app/src/index.js sort-charts ${CI_PROJECT_DIR}/helmfile/environments/default/charts.yaml"
-    - "git diff --exit-code"
-  stage: "lint"
-  tags:
-    - "docker"
-
 # Declare .environments which is in environments repository and only loaded when INCLUDE_ENVIRONMENTS_ENABLED not false.
 # 'cache' is used because job must contain at least one key, so cache is just a dummy key.
 .environments:
@@ -613,7 +607,13 @@ release:
           "@semantic-release/release-notes-generator",
           "@semantic-release/changelog",
           ["@semantic-release/git", {
-            "assets": ["charts/**/Chart.yaml", "CHANGELOG.md", "charts/**/README.md", "helmfile/environments/default/global.generated.yaml"],
+            "assets": [
+              "charts/**/Chart.yaml",
+              "CHANGELOG.md",
+              "charts/**/README.md",
+              "helmfile/environments/default/global.generated.yaml",
+              ".kyverno/kyverno-test.yaml"
+            ],
             "message": "chore(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"
           }]
         ]

.gitlab/lint/lint-common.yml

@@ -0,0 +1,17 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+variables:
+  OPENDESK_CI_CLI_IMAGE: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:2.2.0\
+    @sha256:b36b1fc8a19605306dffef2c919c2a6bf5a3099e8a42ecb39a416394410b75d7"
+  OPENDESK_LINT_IMAGE: "registry.opencode.de/bmi/opendesk/components/platform-development/images/ci-lint:1.0.1\
+    @sha256:5b1bd85cc73ba0cede1f37d79fa7eeebffa653afa7944406eea9287c29a7769a"
+
+.lint-common:
+  cache: {}
+  needs: []
+  stage: "lint"
+  tags:
+    - "docker"
+
+...

.gitlab/lint/lint-kyverno.yml

@@ -0,0 +1,35 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+include:
+  - local: "/.gitlab/lint/lint-common.yml"
+
+lint-kyverno:
+  allow_failure: true
+  extends: ".lint-common"
+  image: "${OPENDESK_LINT_IMAGE}"
+  parallel:
+    matrix:
+      - APP:
+          - "collabora"
+          - "cryptpad"
+          - "element"
+          - "intercom-service"
+          - "jitsi"
+          - "nextcloud"
+          - "open-xchange"
+          - "openproject"
+          - "openproject-bootstrap"
+          - "provisioning"
+          - "services"
+          - "univention-management-stack"
+          - "xwiki"
+  script:
+    - "cd ${CI_PROJECT_DIR}/helmfile/apps/${APP}"
+    - "helmfile template -e test --include-needs > ${CI_PROJECT_DIR}/.kyverno/opendesk.yaml"
+    - "node /app/opendesk-ci-cli/src/index.js generate-kyverno-tests -d ${CI_PROJECT_DIR}/.kyverno -t required ${APP}"
+    - "node /app/opendesk-ci-cli/src/index.js filter-for-kinds -f ${CI_PROJECT_DIR}/.kyverno/opendesk.yaml"
+    - "cd ${CI_PROJECT_DIR}/.kyverno"
+    - "kyverno test ."
+
+...

.gitlab/lint/lint-opendesk.yml

@@ -0,0 +1,13 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+include:
+  - local: "/.gitlab/lint/lint-common.yml"
+
+lint-opendesk:
+  extends: ".lint-common"
+  image: "${OPENDESK_CI_CLI_IMAGE}"
+  script:
+    - "node /app/src/index.js sort-all -d ${CI_PROJECT_DIR}/helmfile"
+    - "git diff --exit-code"
+...

.kyverno/_apps.yaml

@@ -0,0 +1,276 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+pod:
+  - resource: "mariadb"
+    kind: "StatefulSet"
+    app: "services"
+  - resource: "postgresql"
+    kind: "StatefulSet"
+    app: "services"
+  - resource: "clamav-simple"
+    kind: "StatefulSet"
+    app: "services"
+  - resource: "redis-master"
+    kind: "StatefulSet"
+    app: "services"
+  - resource: "ums-store-dav"
+    kind: "StatefulSet"
+    app: "univention-management-stack"
+  - resource: "ums-ldap-server"
+    kind: "StatefulSet"
+    app: "univention-management-stack"
+  - resource: "ums-ldap-notifier"
+    kind: "StatefulSet"
+    app: "univention-management-stack"
+  - resource: "ums-portal-listener"
+    kind: "StatefulSet"
+    app: "univention-management-stack"
+  - resource: "ums-selfservice-listener"
+    kind: "StatefulSet"
+    app: "univention-management-stack"
+  - resource: "ums-provisioning-nats"
+    kind: "StatefulSet"
+    app: "univention-management-stack"
+  - resource: "ums-guardian-management-api"
+    kind: "StatefulSet"
+    app: "univention-management-stack"
+  - resource: "ums-guardian-management-ui"
+    kind: "StatefulSet"
+    app: "univention-management-stack"
+  - resource: "ums-guardian-authorization-api"
+    kind: "StatefulSet"
+    app: "univention-management-stack"
+  - resource: "ums-open-policy-agent"
+    kind: "StatefulSet"
+    app: "univention-management-stack"
+  - resource: "open-xchange-core-mw-default"
+    kind: "StatefulSet"
+    app: "open-xchange"
+  - resource: "jitsi-prosody"
+    kind: "StatefulSet"
+    app: "jitsi"
+  - resource: "opendesk-synapse"
+    kind: "StatefulSet"
+    app: "element"
+  - resource: "xwiki"
+    kind: "StatefulSet"
+    app: "xwiki"
+  - resource: "ox-connector"
+    kind: "StatefulSet"
+    app: "provisioning"
+  - resource: "minio"
+    kind: "Deployment"
+    app: "services"
+  - resource: "memcached"
+    kind: "Deployment"
+    app: "services"
+  - resource: "postfix"
+    kind: "Deployment"
+    app: "services"
+  - resource: "ums-keycloak"
+    kind: "Deployment"
+    app: "univention-management-stack"
+  - resource: "ums-stack-gateway"
+    kind: "Deployment"
+    app: "univention-management-stack"
+  - resource: "ums-udm-rest-api"
+    kind: "Deployment"
+    app: "univention-management-stack"
+  - resource: "ums-portal-server"
+    kind: "Deployment"
+    app: "univention-management-stack"
+  - resource: "ums-notifications-api"
+    kind: "Deployment"
+    app: "univention-management-stack"
+  - resource: "ums-portal-frontend"
+    kind: "Deployment"
+    app: "univention-management-stack"
+  - resource: "ums-umc-gateway"
+    kind: "Deployment"
+    app: "univention-management-stack"
+  - resource: "ums-umc-server"
+    kind: "Deployment"
+    app: "univention-management-stack"
+  - resource: "ums-provisioning-nats-box"
+    kind: "Deployment"
+    app: "univention-management-stack"
+  - resource: "ums-keycloak-extensions-handler"
+    kind: "Deployment"
+    app: "univention-management-stack"
+  - resource: "ums-keycloak-extensions-proxy"
+    kind: "Deployment"
+    app: "univention-management-stack"
+  - resource: "intercom-service"
+    kind: "Deployment"
+    app: "intercom-service"
+  - resource: "dovecot"
+    kind: "Deployment"
+    app: "open-xchange"
+  - resource: "open-xchange-core-documentconverter"
+    kind: "Deployment"
+    app: "open-xchange"
+  - resource: "open-xchange-core-guidedtours"
+    kind: "Deployment"
+    app: "open-xchange"
+  - resource: "open-xchange-core-imageconverter"
+    kind: "Deployment"
+    app: "open-xchange"
+  - resource: "open-xchange-gotenberg"
+    kind: "Deployment"
+    app: "open-xchange"
+  - resource: "open-xchange-core-ui-middleware"
+    kind: "Deployment"
+    app: "open-xchange"
+  - resource: "open-xchange-core-ui-middleware-updater"
+    kind: "Deployment"
+    app: "open-xchange"
+  - resource: "open-xchange-core-ui"
+    kind: "Deployment"
+    app: "open-xchange"
+  - resource: "open-xchange-core-user-guide"
+    kind: "Deployment"
+    app: "open-xchange"
+  - resource: "open-xchange-guard-ui"
+    kind: "Deployment"
+    app: "open-xchange"
+  - resource: "open-xchange-nextcloud-integration-ui"
+    kind: "Deployment"
+    app: "open-xchange"
+  - resource: "open-xchange-public-sector-ui"
+    kind: "Deployment"
+    app: "open-xchange"
+  - resource: "opendesk-nextcloud-apache2"
+    kind: "Deployment"
+    app: "nextcloud"
+  - resource: "opendesk-nextcloud-exporter"
+    kind: "Deployment"
+    app: "nextcloud"
+  - resource: "opendesk-nextcloud-php"
+    kind: "Deployment"
+    app: "nextcloud"
+  - resource: "collabora"
+    kind: "Deployment"
+    app: "collabora"
+  - resource: "jitsi-jibri"
+    kind: "Deployment"
+    app: "jitsi"
+  - resource: "jitsi-jicofo"
+    kind: "Deployment"
+    app: "jitsi"
+  - resource: "jitsi-jvb"
+    kind: "Deployment"
+    app: "jitsi"
+  - resource: "jitsi-web"
+    kind: "Deployment"
+    app: "jitsi"
+  - resource: "jitsi-opendesk-jitsi-keycloak-adapter"
+    kind: "Deployment"
+    app: "jitsi"
+  - resource: "opendesk-element"
+    kind: "Deployment"
+    app: "element"
+  - resource: "opendesk-well-known"
+    kind: "Deployment"
+    app: "element"
+  - resource: "opendesk-synapse-web"
+    kind: "Deployment"
+    app: "element"
+  - resource: "opendesk-matrix-user-verification-service"
+    kind: "Deployment"
+    app: "element"
+  - resource: "matrix-neoboard-widget"
+    kind: "Deployment"
+    app: "element"
+  - resource: "matrix-neochoice-widget"
+    kind: "Deployment"
+    app: "element"
+  - resource: "matrix-neodatefix-widget"
+    kind: "Deployment"
+    app: "element"
+  - resource: "matrix-neodatefix-bot"
+    kind: "Deployment"
+    app: "element"
+  - resource: "openproject-web"
+    kind: "Deployment"
+    app: "openproject"
+  - resource: "openproject-worker"
+    kind: "Deployment"
+    app: "openproject"
+  - resource: "mariadb-bootstrap"
+    kind: "Job"
+    app: "services"
+  - resource: "postgresql-bootstrap"
+    kind: "Job"
+    app: "services"
+  - resource: "minio-provisioning"
+    kind: "Job"
+    app: "services"
+  - resource: "ums-stack-data-ums-1"
+    kind: "Job"
+    app: "univention-management-stack"
+  - resource: "ums-stack-data-swp-1"
+    kind: "Job"
+    app: "univention-management-stack"
+  - resource: "ums-keycloak-bootstrap-bootstrap-1"
+    kind: "Job"
+    app: "univention-management-stack"
+  - resource: "opendesk-keycloak-bootstrap-bootstrap-1"
+    kind: "Job"
+    app: "univention-management-stack"
+  - resource: "opendesk-open-xchange-bootstrap"
+    kind: "Job"
+    app: "open-xchange"
+  - resource: "opendesk-nextcloud-management-1"
+    kind: "Job"
+    app: "nextcloud"
+  - resource: "jitsi-opendesk-jitsi"
+    kind: "Job"
+    app: "jitsi"
+  - resource: "opendesk-matrix-user-verification-service-bootstrap"
+    kind: "Job"
+    app: "element"
+  - resource: "matrix-neodatefix-bot-bootstrap"
+    kind: "Job"
+    app: "element"
+  - resource: "opendesk-openproject-bootstrap-bootstrap-1"
+    kind: "Job"
+    app: "openproject-bootstrap"
+#  # Has timestamp in resource name - not supported yet.
+#  - resource: "openproject-seeder-*"
+#    kind: "Job"
+#  - resource: "ums-store-dav-test-connection"
+#    kind: "Pod"
+#  - resource: "ums-udm-rest-api-test-connection"
+#    kind: "Pod"
+#  - resource: "ums-portal-server-test-connection"
+#    kind: "Pod"
+#  - resource: "ums-notifications-api-test-connection"
+#    kind: "Pod"
+#  - resource: "ums-portal-frontend-test-connection"
+#    kind: "Pod"
+#  - resource: "ums-provisioning-nats-test-request-reply"
+#    kind: "Pod"
+#  - resource: "ums-provisioning-provisioning-api-test-connection"
+#    kind: "Pod"
+#  - resource: "open-xchange-core-guidedtours-test-connection"
+#    kind: "Pod"
+#  - resource: "open-xchange-gotenberg-test-connection"
+#    kind: "Pod"
+#  - resource: "open-xchange-core-ui-test-connection"
+#    kind: "Pod"
+#  - resource: "open-xchange-core-user-guide-test-connection"
+#    kind: "Pod"
+#  - resource: "open-xchange-guard-ui-test-connection"
+#    kind: "Pod"
+#  - resource: "open-xchange-nextcloud-integration-ui-test-connection"
+#    kind: "Pod"
+#  - resource: "open-xchange-public-sector-ui-test-connection"
+#    kind: "Pod"
+#  - resource: "jitsi-prosody-test-connection"
+#    kind: "Pod"
+#  - resource: "jitsi-web-test-connection"
+#    kind: "Pod"
+#  - resource: "openproject-test-connection"
+#    kind: "Pod"
+...

.kyverno/policies/_policies.yaml

@@ -0,0 +1,55 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+pod:
+  - name: "require-tag-and-digest"
+    rule: "require-tag-and-digest"
+    type: "required"
+  - name: "disallow-default-serviceaccount"
+    rule: "require-sa"
+    type: "required"
+  - name: "require-imagepullsecrets"
+    rule: "require-imagepullsecrets"
+    type: "required"
+  - name: "disallow-latest-tag"
+    rule: "validate-image-tag"
+    type: "required"
+  - name: "require-imagepullpolicy-always"
+    rule: "require-imagepullpolicy-always"
+    type: "required"
+  - name: "require-health-and-liveness-check"
+    rule: "require-health-and-liveness-check"
+    type: "required"
+    excludeKinds:
+      - "Job"
+  - name: "require-requests-limits"
+    rule: "validate-resources"
+    type: "required"
+  - name: "restrict-image-registries"
+    rule: "validate-registries"
+    type: "required"
+  - name: "require-containersecuritycontext"
+    rule: "require-ro-rootfs"
+    type: "optional"
+  - name: "require-containersecuritycontext"
+    rule: "require-no-privilege-escalation"
+    type: "optional"
+  - name: "require-containersecuritycontext"
+    rule: "require-all-capabilities-dropped"
+    type: "optional"
+  - name: "require-containersecuritycontext"
+    rule: "require-no-privileged"
+    type: "optional"
+  - name: "require-containersecuritycontext"
+    rule: "require-run-as-user"
+    type: "optional"
+  - name: "require-containersecuritycontext"
+    rule: "require-run-as-group"
+    type: "optional"
+  - name: "require-containersecuritycontext"
+    rule: "require-seccomp-profile"
+    type: "required"
+  - name: "require-containersecuritycontext"
+    rule: "require-run-as-non-root"
+    type: "optional"
+...

.kyverno/policies/disallow-default-serviceaccount.yaml

@@ -0,0 +1,22 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+apiVersion: "kyverno.io/v1"
+kind: "ClusterPolicy"
+metadata:
+  name: "disallow-default-serviceaccount"
+spec:
+  background: true
+  rules:
+    - match:
+        resources:
+          kinds:
+            - "Pod"
+      name: "require-sa"
+      validate:
+        message: "serviceAccountName must be set to anything other than 'default'."
+        pattern:
+          spec:
+            serviceAccountName: "!default"
+  validationFailureAction: "audit"
+...

.kyverno/policies/disallow-latest-tag.yaml

@@ -0,0 +1,27 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+apiVersion: "kyverno.io/v1"
+kind: "ClusterPolicy"
+metadata:
+  name: "disallow-latest-tag"
+spec:
+  background: true
+  rules:
+    - match:
+        resources:
+          kinds:
+            - "Pod"
+      name: "validate-image-tag"
+      validate:
+        message: "Using a mutable image tag e.g. 'latest' is not allowed."
+        pattern:
+          spec:
+            =(ephemeralContainers):
+              - image: "!*:latest"
+            =(initContainers):
+              - image: "!*:latest"
+            containers:
+              - image: "!*:latest"
+  validationFailureAction: "audit"
+...

.kyverno/policies/require-containersecuritycontext.yaml

@@ -0,0 +1,173 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+apiVersion: "kyverno.io/v1"
+kind: "ClusterPolicy"
+metadata:
+  name: "require-containersecuritycontext"
+spec:
+  background: true
+  rules:
+    - name: "require-ro-rootfs"
+      match:
+        resources:
+          kinds:
+            - "Pod"
+      validate:
+        message: "Root filesystem must be read-only."
+        pattern:
+          spec:
+            =(ephemeralContainers):
+              - securityContext:
+                  readOnlyRootFilesystem: true
+            =(initContainers):
+              - securityContext:
+                  readOnlyRootFilesystem: true
+            containers:
+              - securityContext:
+                  readOnlyRootFilesystem: true
+
+    - name: "require-no-privilege-escalation"
+      match:
+        resources:
+          kinds:
+            - "Pod"
+      validate:
+        message: "Disallow privilege escalation."
+        pattern:
+          spec:
+            =(ephemeralContainers):
+              - securityContext:
+                  allowPrivilegeEscalation: false
+            =(initContainers):
+              - securityContext:
+                  allowPrivilegeEscalation: false
+            containers:
+              - securityContext:
+                  allowPrivilegeEscalation: false
+
+    - name: "require-all-capabilities-dropped"
+      match:
+        resources:
+          kinds:
+            - "Pod"
+      validate:
+        message: "Required to drop ALL linux capabilities."
+        pattern:
+          spec:
+            =(ephemeralContainers):
+              - securityContext:
+                  capabilities:
+                    drop:
+                      - "ALL"
+            =(initContainers):
+              - securityContext:
+                  capabilities:
+                    drop:
+                      - "ALL"
+            containers:
+              - securityContext:
+                  capabilities:
+                    drop:
+                      - "ALL"
+
+    - name: "require-no-privileged"
+      match:
+        resources:
+          kinds:
+            - "Pod"
+      validate:
+        message: "Disallow privileged container."
+        pattern:
+          spec:
+            =(ephemeralContainers):
+              - securityContext:
+                  privileged: false
+            =(initContainers):
+              - securityContext:
+                  privileged: false
+            containers:
+              - securityContext:
+                  privileged: false
+
+    - name: "require-run-as-user"
+      match:
+        resources:
+          kinds:
+            - "Pod"
+      validate:
+        message: "Container must run as non-root user."
+        pattern:
+          spec:
+            =(ephemeralContainers):
+              - securityContext:
+                  runAsUser: ">0"
+            =(initContainers):
+              - securityContext:
+                  runAsUser: ">0"
+            containers:
+              - securityContext:
+                  runAsUser: ">0"
+
+    - name: "require-run-as-group"
+      match:
+        resources:
+          kinds:
+            - "Pod"
+      validate:
+        message: "Container must run as non-root group."
+        pattern:
+          spec:
+            =(ephemeralContainers):
+              - securityContext:
+                  runAsGroup: ">0"
+            =(initContainers):
+              - securityContext:
+                  runAsGroup: ">0"
+            containers:
+              - securityContext:
+                  runAsGroup: ">0"
+
+    - name: "require-seccomp-profile"
+      match:
+        resources:
+          kinds:
+            - "Pod"
+      validate:
+        message: "Container must have seccompProfile"
+        pattern:
+          spec:
+            =(ephemeralContainers):
+              - securityContext:
+                  seccompProfile:
+                    type: "RuntimeDefault | Localhost"
+            =(initContainers):
+              - securityContext:
+                  seccompProfile:
+                    type: "RuntimeDefault | Localhost"
+            containers:
+              - securityContext:
+                  seccompProfile:
+                    type: "RuntimeDefault | Localhost"
+
+    - name: "require-run-as-non-root"
+      match:
+        resources:
+          kinds:
+            - "Pod"
+      validate:
+        message: "Container must run in non-root mode."
+        pattern:
+          spec:
+            =(ephemeralContainers):
+              - securityContext:
+                  runAsNonRoot: true
+            =(initContainers):
+              - securityContext:
+                  runAsNonRoot: true
+            containers:
+              - securityContext:
+                  runAsNonRoot: true
+
+  validationFailureAction: "audit"
+...

.kyverno/policies/require-health-and-liveness-check.yaml

@@ -0,0 +1,27 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+apiVersion: "kyverno.io/v1"
+kind: "ClusterPolicy"
+metadata:
+  name: "require-health-and-liveness-check"
+spec:
+  background: true
+  rules:
+    - match:
+        resources:
+          kinds:
+            - "Pod"
+      name: "require-health-and-liveness-check"
+      validate:
+        message: "Liveness and readiness probes are required. spec.containers[*].livenessProbe.periodSeconds
+          must be set to a value greater than 0."
+        pattern:
+          spec:
+            containers:
+              - livenessProbe:
+                  periodSeconds: ">0"
+                readinessProbe:
+                  periodSeconds: ">0"
+  validationFailureAction: "audit"
+...

.kyverno/policies/require-imagepullpolicy-always.yaml

@@ -0,0 +1,40 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+apiVersion: "kyverno.io/v1"
+kind: "ClusterPolicy"
+metadata:
+  name: "require-imagepullpolicy-always"
+spec:
+  background: true
+  rules:
+    - match:
+        resources:
+          kinds:
+            - "Pod"
+      name: "require-imagepullpolicy-always"
+      validate:
+        message: "The imagePullPolicy must be set to `Always` when the tag `latest` is used."
+        anyPattern:
+          - spec:
+              =(ephemeralContainers):
+                - (image): "*:latest"
+                  imagePullPolicy: "Always"
+              =(initContainers):
+                - (image): "*:latest"
+                  imagePullPolicy: "Always"
+              containers:
+                - (image): "*:latest"
+                  imagePullPolicy: "Always"
+          - spec:
+              =(ephemeralContainers):
+                - (image): "!*:latest"
+                  imagePullPolicy: "IfNotPresent"
+              =(initContainers):
+                - (image): "!*:latest"
+                  imagePullPolicy: "IfNotPresent"
+              containers:
+                - (image): "!*:latest"
+                  imagePullPolicy: "IfNotPresent"
+  validationFailureAction: "audit"
+...

.kyverno/policies/require-imagepullsecets.yaml

@@ -0,0 +1,23 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+apiVersion: "kyverno.io/v1"
+kind: "ClusterPolicy"
+metadata:
+  name: "require-imagepullsecrets"
+spec:
+  background: true
+  rules:
+    - match:
+        resources:
+          kinds:
+            - "Pod"
+      name: "require-imagepullsecrets"
+      validate:
+        message: "ImagePullSecrets are required."
+        pattern:
+          spec:
+            imagePullSecrets:
+              - name: "*"
+  validationFailureAction: "audit"
+...

.kyverno/policies/require-requests-limits.yaml

@@ -0,0 +1,28 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+apiVersion: "kyverno.io/v1"
+kind: "ClusterPolicy"
+metadata:
+  name: "require-requests-limits"
+spec:
+  background: true
+  rules:
+    - match:
+        resources:
+          kinds:
+            - "Pod"
+      name: "validate-resources"
+      validate:
+        message: "CPU and memory resource requests and limits are required."
+        pattern:
+          spec:
+            containers:
+              - resources:
+                  limits:
+                    memory: "?*"
+                  requests:
+                    cpu: "?*"
+                    memory: "?*"
+  validationFailureAction: "audit"
+...

.kyverno/policies/require-tag-and-digest.yaml

@@ -0,0 +1,27 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+apiVersion: "kyverno.io/v1"
+kind: "ClusterPolicy"
+metadata:
+  name: "require-tag-and-digest"
+spec:
+  background: true
+  rules:
+    - match:
+        resources:
+          kinds:
+            - "Pod"
+      name: "require-tag-and-digest"
+      validate:
+        message: "An image tag and digest required."
+        pattern:
+          spec:
+            =(ephemeralContainers):
+              - image: "*:*@sha256:*"
+            =(initContainers):
+              - image: "*:*@sha256:*"
+            containers:
+              - image: "*:*@sha256:*"
+  validationFailureAction: "audit"
+...

.kyverno/policies/restrict-image-registries.yaml

@@ -0,0 +1,27 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+apiVersion: "kyverno.io/v1"
+kind: "ClusterPolicy"
+metadata:
+  name: "restrict-image-registries"
+spec:
+  background: true
+  rules:
+    - match:
+        resources:
+          kinds:
+            - "Pod"
+      name: "validate-registries"
+      validate:
+        message: "Unknown image registry."
+        pattern:
+          spec:
+            =(ephemeralContainers):
+              - image: "external-registry.souvap-univention.de/*"
+            =(initContainers):
+              - image: "external-registry.souvap-univention.de/*"
+            containers:
+              - image: "external-registry.souvap-univention.de/*"
+  validationFailureAction: "audit"
+...

helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl

@@ -56,9 +56,8 @@ ingress:
     enabled: {{ .Values.ingress.tls.enabled }}
     secretName: {{ .Values.ingress.tls.secretName | quote }}
 
-# TODO: The health endpoint does not work with the haproxy configuration, yet
 livenessProbe:
-  enabled: false
+  enabled: true
 
 persistence:
   size: {{ .Values.persistence.size.matrixNeoDateFixBot | quote }}
@@ -68,9 +67,8 @@ podSecurityContext:
   enabled: true
   fsGroup: 101
 
-# TODO: The health endpoint does not work with the haproxy configuration, yet
 readinessProbe:
-  enabled: false
+  enabled: true
 
 replicaCount: {{ .Values.replicas.matrixNeoDateFixBot }}
 

helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl

@@ -21,4 +21,18 @@ image:
   tag: {{ .Values.images.synapseCreateUser.tag | quote }}
   imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
+fullnameOverride: "opendesk-matrix-user-verification-service-bootstrap"
+
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 101
+  runAsNonRoot: true
+  runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
 ...

helmfile/apps/jitsi/values-jitsi.yaml.gotmpl

@@ -62,6 +62,9 @@ jitsi:
       TURN_ENABLE: "1"
     resources:
       {{ .Values.resources.jitsi | toYaml | nindent 6 }}
+    securityContext:
+      seccompProfile:
+        type: "RuntimeDefault"
   prosody:
     image:
       repository: "{{ .Values.global.imageRegistry | default .Values.images.prosody.registry }}/{{ .Values.images.prosody.repository }}"
@@ -98,6 +101,9 @@ jitsi:
     persistence:
       size: {{ .Values.persistence.size.prosody | quote }}
       storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
+    securityContext:
+      seccompProfile:
+        type: "RuntimeDefault"
   jicofo:
     replicaCount: {{ .Values.replicas.jicofo }}
     image:
@@ -108,6 +114,9 @@ jitsi:
       componentSecret: {{ .Values.secrets.jitsi.jicofoComponentPassword | quote }}
     resources:
       {{ .Values.resources.jicofo | toYaml | nindent 6 }}
+    securityContext:
+      seccompProfile:
+        type: "RuntimeDefault"
   jvb:
     replicaCount: {{ .Values.replicas.jvb }}
     image:
@@ -119,6 +128,9 @@ jitsi:
       {{ .Values.resources.jvb | toYaml | nindent 6 }}
     service:
       type: {{ .Values.cluster.service.type | quote }}
+    securityContext:
+      seccompProfile:
+        type: "RuntimeDefault"
   jibri:
     replicaCount: {{ .Values.replicas.jibri }}
     image:
@@ -130,6 +142,9 @@ jitsi:
       password: {{ .Values.secrets.jitsi.jibriXmppPassword | quote }}
     resources:
       {{ .Values.resources.jibri | toYaml | nindent 6 }}
+    securityContext:
+      seccompProfile:
+        type: "RuntimeDefault"
   imagePullSecrets:
   {{- range .Values.global.imagePullSecrets }}
     - name: {{ . | quote }}
@@ -143,6 +158,8 @@ patchJVB:
     allowPrivilegeEscalation: false
     enabled: true
     readOnlyRootFilesystem: true
+    seccompProfile:
+      type: "RuntimeDefault"
   image:
     imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
     registry: {{ .Values.global.imageRegistry | default .Values.images.jitsiPatchJVB.registry | quote }}

helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl

@@ -92,6 +92,8 @@ appsuite:
     masterAdmin: "admin"
     masterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}
     hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
+    serviceAccount:
+      create: true
     features:
       status:
         # enable admin pack
@@ -413,6 +415,8 @@ appsuite:
       capabilities:
         drop:
           - "ALL"
+      seccompProfile:
+        type: "RuntimeDefault"
 
   core-documents-collaboration:
     enabled: false
@@ -481,6 +485,8 @@ appsuite:
       capabilities:
         drop:
           - "ALL"
+      seccompProfile:
+        type: "RuntimeDefault"
 
   guard-ui:
     enabled: true

helmfile/apps/openproject/values.yaml.gotmpl

@@ -71,7 +71,7 @@ environment:
 image:
   registry: {{ .Values.global.imageRegistry | default .Values.images.openproject.registry | quote }}
   repository: {{ .Values.images.openproject.repository | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   tag: {{ .Values.images.openproject.tag | quote }}
 
 initdb:
@@ -79,7 +79,7 @@ initdb:
     registry: {{ .Values.global.imageRegistry | default .Values.images.openprojectInitDb.registry | quote }}
     repository: {{ .Values.images.openprojectInitDb.repository | quote }}
     tag: {{ .Values.images.openprojectInitDb.tag | quote }}
-    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 memcached:
   bundled: false

helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl

@@ -59,6 +59,27 @@ probes:
     failureThreshold: 30
     successThreshold: 1
 
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+    add:
+      - "CHOWN"
+      - "DAC_OVERRIDE"
+      - "FOWNER"
+      - "FSETID"
+      - "KILL"
+      - "SETGID"
+      - "SETUID"
+      - "SETPCAP"
+      - "NET_BIND_SERVICE"
+      - "NET_RAW"
+      - "SYS_CHROOT"
+  privileged: false
+  seccompProfile:
+    type: "RuntimeDefault"
+
 serviceAccount:
   create: true
 

helmfile/apps/services/values-minio.yaml.gotmpl

@@ -167,6 +167,8 @@ provisioning:
       policies:
         - "nextcloud-bucket-policy"
       setPolicies: true
+  resources:
+    {{ .Values.resources.minio | toYaml | nindent 4 }}
 
 readinessProbe:
   enabled: true

helmfile/apps/services/values-postgresql.yaml.gotmpl

@@ -7,6 +7,7 @@ containerSecurityContext:
     drop:
       - "ALL"
   enabled: true
+  privileged: false
   runAsUser: 1001
   runAsGroup: 1001
   seccompProfile:

helmfile/apps/services/values-redis.yaml.gotmpl

@@ -20,6 +20,15 @@ image:
 master:
   containerSecurityContext:
     readOnlyRootFilesystem: true
+    runAsUser: 1001
+    runAsGroup: 1001
+    runAsNonRoot: true
+    allowPrivilegeEscalation: false
+    seccompProfile:
+      type: "RuntimeDefault"
+    capabilities:
+      drop:
+        - "ALL"
   count: {{ .Values.replicas.redis }}
   persistence:
     size: {{ .Values.persistence.size.redis | quote }}

helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl

@@ -1,5 +1,7 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+{{/*
-# SPDX-License-Identifier: Apache-2.0
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
 ---
 image:
   registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioning.registry | quote }}
@@ -11,6 +13,22 @@ image:
     - name: {{ . | quote }}
     {{- end }}
 
+nats:
+  global:
+    image:
+      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+      pullSecretNames: {{ .Values.global.imagePullSecrets }}
+      registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningNats.registry | quote }}
+  container:
+    image:
+      repository: {{ .Values.images.umsProvisioningNats.repository | quote }}
+      tag: {{ .Values.images.umsProvisioningNats.tag | quote }}
+  natsBox:
+    container:
+      image:
+        repository: {{ .Values.images.umsProvisioningNatsBox.repository | quote }}
+        tag: {{ .Values.images.umsProvisioningNatsBox.tag | quote }}
+
 provisioningApi:
   rootPath: "/univention/provisioning-api"
 

helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl

@@ -1,6 +1,10 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
+global:
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
 fullnameOverride: "ums-stack-gateway"
 
 image:
@@ -28,19 +32,27 @@ podSecurityContext:
   enabled: true
   fsGroup: 1001
 
-securityContext:
+containerSecurityContext:
+  enabled: true
+  runAsUser: 1001
+  runAsNonRoot: true
+  privileged: false
+  readOnlyRootFilesystem: false
   allowPrivilegeEscalation: false
   capabilities:
     drop:
       - "ALL"
-  enabled: true
-  privileged: false
-  readOnlyRootFilesystem: false
-  runAsUser: 1001
-  runAsNonRoot: true
   seccompProfile:
     type: "RuntimeDefault"
 
+service:
+  type: "ClusterIP"
+
+serviceAccount:
+  create: true
+
+fullnameOverride: "ums-stack-gateway"
+
 # The content of the "serverBlock" does resemble the Ingress configuration of
 # the UMS components. The "location" entries do intentionally reflect precisely
 # the respective paths which are configured.
@@ -289,7 +301,4 @@ serverBlock: |
 
   }
 
-service:
-  type: "ClusterIP"
-
 ...

helmfile/apps/xwiki/values.yaml.gotmpl

@@ -15,6 +15,8 @@ externalDB:
   database: {{ .Values.databases.xwiki.name | quote }}
   user: {{ .Values.databases.xwiki.username | quote }}
   host: {{ .Values.databases.xwiki.host | quote }}
+  customKeyRef:
+    enabled: false
 
 containerSecurityContext:
   allowPrivilegeEscalation: false
@@ -25,6 +27,8 @@ containerSecurityContext:
   capabilities:
     drop:
       - "ALL"
+  seccompProfile:
+    type: "RuntimeDefault"
 
 customConfigs:
   xwiki.cfg:

helmfile/environments/default/charts.yaml

@@ -85,7 +85,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-element"
-    version: "2.6.3"
+    version: "2.6.6"
     verify: true
     # @supplier: "openDesk"
 
@@ -97,7 +97,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-well-known"
-    version: "2.6.3"
+    version: "2.6.6"
     verify: true
     # @supplier: "openDesk"
 
@@ -135,7 +135,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-jitsi"
     name: "opendesk-jitsi"
-    version: "1.7.4"
+    version: "1.7.8"
     verify: true
     # @supplier: "openDesk"
 
@@ -159,7 +159,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets"
     name: "matrix-neoboard-widget"
-    version: "3.4.0"
+    version: "3.4.1"
     verify: true
     # @supplier: "openDesk"
 
@@ -171,7 +171,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets"
     name: "matrix-neochoice-widget"
-    version: "3.4.0"
+    version: "3.4.1"
     verify: true
     # @supplier: "openDesk"
 
@@ -183,7 +183,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets"
     name: "matrix-neodatefix-bot"
-    version: "3.4.0"
+    version: "3.4.1"
     verify: true
     # @supplier: "openDesk"
 
@@ -195,7 +195,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets"
     name: "matrix-neodatefix-widget"
-    version: "3.4.0"
+    version: "3.4.1"
     verify: true
     # @supplier: "openDesk"
 
@@ -207,7 +207,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-matrix-user-verification-service"
-    version: "2.6.3"
+    version: "2.6.6"
     verify: true
     # @supplier: "openDesk"
 
@@ -279,7 +279,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap"
     name: "opendesk-keycloak-bootstrap"
-    version: "1.0.5"
+    version: "1.0.6"
     verify: true
     # @supplier: "openDesk"
 
@@ -305,7 +305,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-openproject-bootstrap"
     name: "opendesk-openproject-bootstrap"
-    version: "1.2.3"
+    version: "1.3.0"
     verify: true
     # @supplier: "openDesk"
 
@@ -404,7 +404,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-synapse"
-    version: "2.6.3"
+    version: "2.6.6"
     verify: true
     # @supplier: "openDesk"
 
@@ -416,7 +416,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-synapse-create-account"
-    version: "2.6.3"
+    version: "2.6.6"
     verify: true
     # @supplier: "openDesk"
 
@@ -428,7 +428,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-synapse-web"
-    version: "2.6.3"
+    version: "2.6.6"
     verify: true
     # @supplier: "openDesk"
 
@@ -510,7 +510,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
     name: "keycloak-extensions"
-    version: "0.0.5"
+    version: "0.1.0"
     verify: true
     # @supplier: "Univention"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'

helmfile/environments/default/images.yaml

@@ -698,6 +698,22 @@ images:
     # @supplier: "Univention"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
     # @mirrorFrom: ['0', '4', '0']
+  umsProvisioningNats:
+    # renovate:
+    # upstreamRegistry=docker.io
+    # upstreamRepository=nats
+    # dependencyType=external
+    registry: "docker.io"
+    repository: "nats"
+    tag: "2.10.5-alpine@sha256:85319e5e541b6f273dbffc722e001601f391028e004c90a4fadab53475789e79"
+  umsProvisioningNatsBox:
+    # renovate:
+    # upstreamRegistry=docker.io
+    # upstreamRepository=nats
+    # dependencyType=external
+    registry: "docker.io"
+    repository: "natsio/nats-box"
+    tag: "0.14.1@sha256:a67913df95f1d5b265117e49e4c83228091d13d6783d80215ddcf84aba695ef4"
   umsSelfserviceInvitation:
     # renovate:
     # upstreamRegistry=registry.souvap-univention.de

helmfile/environments/test/values.yaml.gotmpl

@@ -0,0 +1,8 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  imageRegistry: "external-registry.souvap-univention.de/sovereign-workplace"
+...