mirror of
https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git
synced 2025-12-07 07:51:38 +01:00
Compare commits
4 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
47a385683c | ||
|
|
db48140f3a | ||
|
|
d7cae3b1fa | ||
|
|
7ae65a36a2 |
@@ -33,9 +33,6 @@ variables:
|
|||||||
description: "Define which cluster to use. Cluster must be defined in gitlab/environments.yaml of
|
description: "Define which cluster to use. Cluster must be defined in gitlab/environments.yaml of
|
||||||
sovereign-workplace-env included above."
|
sovereign-workplace-env included above."
|
||||||
value: "dev"
|
value: "dev"
|
||||||
BASE_DOMAIN:
|
|
||||||
description: "Define the Cluster Base Domain."
|
|
||||||
value: "souvap.cloud"
|
|
||||||
MASTER_PASSWORD_WEB_VAR:
|
MASTER_PASSWORD_WEB_VAR:
|
||||||
description: "Optional: Provide a passphrase to be used for password generation."
|
description: "Optional: Provide a passphrase to be used for password generation."
|
||||||
value: ""
|
value: ""
|
||||||
@@ -150,9 +147,6 @@ variables:
|
|||||||
UMS_TESTS_BRANCH:
|
UMS_TESTS_BRANCH:
|
||||||
description: "Branch of E2E test suite of SouvAP Dev team"
|
description: "Branch of E2E test suite of SouvAP Dev team"
|
||||||
value: "main"
|
value: "main"
|
||||||
# please use the following set of variables with normalized names:
|
|
||||||
DOMAIN: "${NAMESPACE}.${CLUSTER}.${BASE_DOMAIN}"
|
|
||||||
ISTIO_DOMAIN: "${NAMESPACE}.istio.${CLUSTER}.${BASE_DOMAIN}"
|
|
||||||
|
|
||||||
.deploy-common:
|
.deploy-common:
|
||||||
cache: {}
|
cache: {}
|
||||||
@@ -204,7 +198,6 @@ env-cleanup:
|
|||||||
env-start:
|
env-start:
|
||||||
environment:
|
environment:
|
||||||
name: "${NAMESPACE}"
|
name: "${NAMESPACE}"
|
||||||
url: "https://portal.${DOMAIN}"
|
|
||||||
on_stop: "env-stop"
|
on_stop: "env-stop"
|
||||||
extends: ".deploy-common"
|
extends: ".deploy-common"
|
||||||
image: "${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/alpine/k8s:1.25.6"
|
image: "${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/alpine/k8s:1.25.6"
|
||||||
@@ -443,10 +436,6 @@ run-tests:
|
|||||||
extends: ".deploy-common"
|
extends: ".deploy-common"
|
||||||
environment:
|
environment:
|
||||||
name: "${NAMESPACE}"
|
name: "${NAMESPACE}"
|
||||||
tags:
|
|
||||||
- "docker"
|
|
||||||
- "kubernetes"
|
|
||||||
- "${CLUSTER}"
|
|
||||||
stage: "tests"
|
stage: "tests"
|
||||||
rules:
|
rules:
|
||||||
- if: >
|
- if: >
|
||||||
@@ -503,10 +492,6 @@ run-souvap-dev-tests:
|
|||||||
extends: ".deploy-common"
|
extends: ".deploy-common"
|
||||||
environment:
|
environment:
|
||||||
name: "${NAMESPACE}"
|
name: "${NAMESPACE}"
|
||||||
tags:
|
|
||||||
- "docker"
|
|
||||||
- "kubernetes"
|
|
||||||
- "${CLUSTER}"
|
|
||||||
stage: "tests"
|
stage: "tests"
|
||||||
rules:
|
rules:
|
||||||
- if: >
|
- if: >
|
||||||
|
|||||||
14
CHANGELOG.md
14
CHANGELOG.md
@@ -1,3 +1,17 @@
|
|||||||
|
## [0.5.45](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.44...v0.5.45) (2023-11-22)
|
||||||
|
|
||||||
|
|
||||||
|
### Bug Fixes
|
||||||
|
|
||||||
|
* **open-xchange:** Add security context ([db48140](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/db48140f3ae6576b21e93ac0f10f40765efd608d))
|
||||||
|
|
||||||
|
## [0.5.44](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.43...v0.5.44) (2023-11-21)
|
||||||
|
|
||||||
|
|
||||||
|
### Bug Fixes
|
||||||
|
|
||||||
|
* **ci:** Remove default BASE_DOMAIN in .gitlab-ci.yml ([7ae65a3](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/7ae65a36a2777d249ba3784bf965da4c790a1b21))
|
||||||
|
|
||||||
## [0.5.43](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.42...v0.5.43) (2023-11-20)
|
## [0.5.43](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.42...v0.5.43) (2023-11-20)
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -18,13 +18,12 @@ The project includes a `.gitlab-ci.yml` that allows you to execute the deploymen
|
|||||||
|
|
||||||
When starting the pipeline through the Gitlab UI, you will be queried for some variables plus the following ones:
|
When starting the pipeline through the Gitlab UI, you will be queried for some variables plus the following ones:
|
||||||
|
|
||||||
- `BASE_DOMAIN`: The base domain the SWP will use. For example: `souvap.cloud`
|
- `DOMAIN` = The domain to deploy to.
|
||||||
|
- `ISTIO_DOMAIN` = istio.`DOMAIN`
|
||||||
- `NAMESPACE`: Defines into which namespace of your K8s cluster the SWP will be installed
|
- `NAMESPACE`: Defines into which namespace of your K8s cluster the SWP will be installed
|
||||||
- `MASTER_PASSWORD_WEB_VAR`: Overwrites value of `MASTER_PASSWORD`
|
- `MASTER_PASSWORD_WEB_VAR`: Overwrites value of `MASTER_PASSWORD`
|
||||||
|
|
||||||
Based on your input, the following variables will be set:
|
Based on your input, the following variables will be set:
|
||||||
- `DOMAIN` = `NAMESPACE`.`BASE_DOMAIN`
|
|
||||||
- `ISTIO_DOMAIN` = istio.`DOMAIN`
|
|
||||||
- `MASTER_PASSWORD` = `MASTER_PASSWORD_WEB_VAR`. If `MASTER_PASSWORD_WEB_VAR`
|
- `MASTER_PASSWORD` = `MASTER_PASSWORD_WEB_VAR`. If `MASTER_PASSWORD_WEB_VAR`
|
||||||
is not set, the default for `MASTER_PASSWORD` will be used, unless you set
|
is not set, the default for `MASTER_PASSWORD` will be used, unless you set
|
||||||
`MASTER_PASSWORD` as a masked CI/CD variable in Gitlab to supersede the default.
|
`MASTER_PASSWORD` as a masked CI/CD variable in Gitlab to supersede the default.
|
||||||
|
|||||||
@@ -50,30 +50,43 @@ Helm Charts which are released via openDesk CI/CD process are always signed. The
|
|||||||
This list gives you an overview of default security settings and if they comply with security standards:
|
This list gives you an overview of default security settings and if they comply with security standards:
|
||||||
|
|
||||||
|
|
||||||
| Component | Process | = | allowPrivilegeEscalation (`false`) | capabilities (`drop: ALL`) | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup |
|
| Component | Process | = | allowPrivilegeEscalation (`false`) | capabilities (`drop: ALL`) | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup |
|
||||||
|-------------|--------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
|
|--------------|----------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
|
||||||
| ClamAV | clamd | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
| ClamAV | clamd | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||||
| | freshclam | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
| | freshclam | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||||
| | icap | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
| | icap | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||||
| | milter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
| | milter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
|
||||||
| Collabora | collabora | :x: | :x: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) | :white_check_mark: | :x: | :white_check_mark: | 100 | 101 | 100 |
|
| Collabora | collabora | :x: | :x: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) | :white_check_mark: | :x: | :white_check_mark: | 100 | 101 | 100 |
|
||||||
| CryptPad | cryptpad | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 4001 | 4001 | 4001 |
|
| CryptPad | npm | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 4001 | 4001 | 4001 |
|
||||||
| Element | element | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
| Dovecot | dovecot | :x: | :white_check_mark: | :x: (`CHOWN`, `DAC_OVERRIDE`, `NET_BIND_SERVICE`, `SETGID`, `SETUID`, `SYS_CHROOT`) | :white_check_mark: | :white_check_mark: | :x: | - | - | 1000 |
|
||||||
| | synapse | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 10991 | - | 10991 |
|
| Element | element | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
||||||
| | synapseWeb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
| | synapse | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 10991 | - | 10991 |
|
||||||
| | wellKnown | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
| | synapseWeb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
||||||
| Jitsi | jibri | :x: | :x: | :x: (`SYS_ADMIN`) | :white_check_mark: | :x: | :x: | - | - | - |
|
| | wellKnown | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 |
|
||||||
| | jicofo | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
| Jitsi | jibri | :x: | :x: | :x: (`SYS_ADMIN`) | :white_check_mark: | :x: | :x: | - | - | - |
|
||||||
| | jitsiKeycloakAdapter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1993 | 1993 | - |
|
| | jicofo | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||||
| | jvb | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
| | jitsiKeycloakAdapter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1993 | 1993 | - |
|
||||||
| | prosody | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
| | jvb | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||||
| | web | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
| | prosody | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||||
| Keycloak | keycloak | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 1001 | 1001 | 1001 |
|
| | web | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||||
| | keycloakConfigCli | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
| Keycloak | keycloak | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||||
| | keycloakExtensionHandler | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
| | keycloakConfigCli | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||||
| | keycloakExtensionProxy | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
| | keycloakExtensionHandler | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||||
| MariaDB | mariadb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
| | keycloakExtensionProxy | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||||
| Memcached | memcached | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | - | 1001 |
|
| MariaDB | mariadb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||||
| Postfix | postfix | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | - | - | 101 |
|
| Memcached | memcached | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | - | 1001 |
|
||||||
| OpenProject | openproject | :x: | :white_check_mark: | :x: | :white_check_mark: | :x: | :x: | - | - | - |
|
| Postfix | postfix | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | - | - | 101 |
|
||||||
| PostgreSQL | postgresql | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
| Open-Xchange | core-documentconverter | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 987 | 1000 | - |
|
||||||
|
| | core-guidedtours | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||||
|
| | core-imageconverter | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 987 | 1000 | - |
|
||||||
|
| | core-mw-default | :x: | :x: | :x: | :x: | :x: | :x: | - | - | - |
|
||||||
|
| | core-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||||
|
| | core-ui-middleware | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||||
|
| | core-ui-middleware-updater | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||||
|
| | core-user-guide | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||||
|
| | gotenberg | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||||
|
| | guard-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||||
|
| | nextlcoud-integration-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||||
|
| | public-sector-ui | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
|
||||||
|
| OpenProject | openproject | :x: | :white_check_mark: | :x: | :white_check_mark: | :x: | :x: | - | - | - |
|
||||||
|
| PostgreSQL | postgresql | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
|
||||||
|
|||||||
@@ -1,6 +1,24 @@
|
|||||||
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
||||||
# SPDX-License-Identifier: Apache-2.0
|
# SPDX-License-Identifier: Apache-2.0
|
||||||
---
|
---
|
||||||
|
containerSecurityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- "ALL"
|
||||||
|
add:
|
||||||
|
- "CHOWN"
|
||||||
|
- "DAC_OVERRIDE"
|
||||||
|
- "KILL"
|
||||||
|
- "NET_BIND_SERVICE"
|
||||||
|
- "SETGID"
|
||||||
|
- "SETUID"
|
||||||
|
- "SYS_CHROOT"
|
||||||
|
enabled: true
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
seccompProfile:
|
||||||
|
type: "RuntimeDefault"
|
||||||
|
|
||||||
dovecot:
|
dovecot:
|
||||||
ldap:
|
ldap:
|
||||||
enabled: true
|
enabled: true
|
||||||
@@ -16,4 +34,8 @@ dovecot:
|
|||||||
enabled: true
|
enabled: true
|
||||||
ssl: "no"
|
ssl: "no"
|
||||||
host: "postfix:25"
|
host: "postfix:25"
|
||||||
|
|
||||||
|
podSecurityContext:
|
||||||
|
enabled: true
|
||||||
|
fsGroup: 1000
|
||||||
...
|
...
|
||||||
|
|||||||
@@ -14,6 +14,17 @@ appsuite:
|
|||||||
masterAdmin: "admin"
|
masterAdmin: "admin"
|
||||||
gotenberg:
|
gotenberg:
|
||||||
enabled: true
|
enabled: true
|
||||||
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- "ALL"
|
||||||
|
privileged: false
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
runAsNonRoot: true
|
||||||
|
runAsUser: 1001
|
||||||
|
seccompProfile:
|
||||||
|
type: "RuntimeDefault"
|
||||||
features:
|
features:
|
||||||
status:
|
status:
|
||||||
# enable admin pack
|
# enable admin pack
|
||||||
@@ -27,6 +38,7 @@ appsuite:
|
|||||||
open-xchange-authentication-oauth: "enabled"
|
open-xchange-authentication-oauth: "enabled"
|
||||||
properties:
|
properties:
|
||||||
com.openexchange.UIWebPath: "/appsuite/"
|
com.openexchange.UIWebPath: "/appsuite/"
|
||||||
|
com.openexchange.showAdmin: "false"
|
||||||
# PDF Export
|
# PDF Export
|
||||||
com.openexchange.capability.mail_export_pdf: "true"
|
com.openexchange.capability.mail_export_pdf: "true"
|
||||||
com.openexchange.mail.exportpdf.gotenberg.enabled: "true"
|
com.openexchange.mail.exportpdf.gotenberg.enabled: "true"
|
||||||
@@ -158,8 +170,23 @@ appsuite:
|
|||||||
mkdir -p /opt/open-xchange/guard-files
|
mkdir -p /opt/open-xchange/guard-files
|
||||||
chown open-xchange:open-xchange /opt/open-xchange/guard-files
|
chown open-xchange:open-xchange /opt/open-xchange/guard-files
|
||||||
|
|
||||||
|
# Security context for core-mw has no effect yet
|
||||||
|
# podSecurityContext: {}
|
||||||
|
# securityContext: {}
|
||||||
|
|
||||||
core-ui:
|
core-ui:
|
||||||
enabled: true
|
enabled: true
|
||||||
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- "ALL"
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
runAsGroup: 1000
|
||||||
|
runAsNonRoot: true
|
||||||
|
runAsUser: 1000
|
||||||
|
seccompProfile:
|
||||||
|
type: "RuntimeDefault"
|
||||||
|
|
||||||
core-ui-middleware:
|
core-ui-middleware:
|
||||||
enabled: true
|
enabled: true
|
||||||
@@ -170,15 +197,62 @@ appsuite:
|
|||||||
- "redis-master:6379"
|
- "redis-master:6379"
|
||||||
auth:
|
auth:
|
||||||
enabled: true
|
enabled: true
|
||||||
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- "ALL"
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
runAsGroup: 1000
|
||||||
|
runAsNonRoot: true
|
||||||
|
runAsUser: 1000
|
||||||
|
seccompProfile:
|
||||||
|
type: "RuntimeDefault"
|
||||||
|
|
||||||
core-guidedtours:
|
core-guidedtours:
|
||||||
enabled: true
|
enabled: true
|
||||||
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- "ALL"
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
runAsGroup: 1000
|
||||||
|
runAsNonRoot: true
|
||||||
|
runAsUser: 1000
|
||||||
|
seccompProfile:
|
||||||
|
type: "RuntimeDefault"
|
||||||
|
|
||||||
guard-ui:
|
guard-ui:
|
||||||
enabled: true
|
enabled: true
|
||||||
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- "ALL"
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
runAsGroup: 1000
|
||||||
|
runAsNonRoot: true
|
||||||
|
runAsUser: 1000
|
||||||
|
seccompProfile:
|
||||||
|
type: "RuntimeDefault"
|
||||||
|
|
||||||
core-cacheservice:
|
core-cacheservice:
|
||||||
enabled: false
|
enabled: false
|
||||||
|
|
||||||
core-user-guide:
|
core-user-guide:
|
||||||
enabled: true
|
enabled: true
|
||||||
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- "ALL"
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
runAsGroup: 1000
|
||||||
|
runAsNonRoot: true
|
||||||
|
runAsUser: 1000
|
||||||
|
seccompProfile:
|
||||||
|
type: "RuntimeDefault"
|
||||||
|
|
||||||
core-imageconverter:
|
core-imageconverter:
|
||||||
enabled: true
|
enabled: true
|
||||||
@@ -188,6 +262,19 @@ appsuite:
|
|||||||
endpoint: "."
|
endpoint: "."
|
||||||
accessKey: "."
|
accessKey: "."
|
||||||
secretKey: "."
|
secretKey: "."
|
||||||
|
podSecurityContext:
|
||||||
|
runAsGroup: 1000
|
||||||
|
runAsNonRoot: true
|
||||||
|
runAsUser: 987
|
||||||
|
seccompProfile:
|
||||||
|
type: "RuntimeDefault"
|
||||||
|
securityContext:
|
||||||
|
# missing:
|
||||||
|
# readOnlyRootFilesystem: true
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- "ALL"
|
||||||
|
|
||||||
core-spellcheck:
|
core-spellcheck:
|
||||||
enabled: false
|
enabled: false
|
||||||
@@ -198,6 +285,19 @@ appsuite:
|
|||||||
cache:
|
cache:
|
||||||
remoteCache:
|
remoteCache:
|
||||||
enabled: false
|
enabled: false
|
||||||
|
podSecurityContext:
|
||||||
|
runAsGroup: 1000
|
||||||
|
runAsNonRoot: true
|
||||||
|
runAsUser: 987
|
||||||
|
seccompProfile:
|
||||||
|
type: "RuntimeDefault"
|
||||||
|
securityContext:
|
||||||
|
# missing:
|
||||||
|
# readOnlyRootFilesystem: true
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- "ALL"
|
||||||
|
|
||||||
core-documents-collaboration:
|
core-documents-collaboration:
|
||||||
enabled: false
|
enabled: false
|
||||||
@@ -213,3 +313,30 @@ appsuite:
|
|||||||
enabled: false
|
enabled: false
|
||||||
core-drive-help:
|
core-drive-help:
|
||||||
enabled: false
|
enabled: false
|
||||||
|
|
||||||
|
nextcloud-integration-ui:
|
||||||
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- "ALL"
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
runAsGroup: 1000
|
||||||
|
runAsNonRoot: true
|
||||||
|
runAsUser: 1000
|
||||||
|
seccompProfile:
|
||||||
|
type: "RuntimeDefault"
|
||||||
|
|
||||||
|
public-sector-ui:
|
||||||
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- "ALL"
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
runAsGroup: 1000
|
||||||
|
runAsNonRoot: true
|
||||||
|
runAsUser: 1000
|
||||||
|
seccompProfile:
|
||||||
|
type: "RuntimeDefault"
|
||||||
|
...
|
||||||
|
|||||||
Reference in New Issue
Block a user