opendesk/docs/security.md

Security

This document should cover the current status of security measurements.

• Helm Chart Trust Chain
• Kubernetes Security Enforcements

Helm Chart Trust Chain

Helm Charts which are released via openDesk CI/CD process are always signed. The public GPG keys are present in pubkey.gpg file and are validated during helmfile installation.

Repository	OCI	Verifiable
bitnami-repo (openDesk build)	yes	✅
clamav-repo	yes	✅
collabora-online-repo	no	❌
cryptpad-online-repo	no	❌
intercom-service-repo	yes	✅
istio-resources-repo	yes	✅
jitsi-repo	yes	✅
keycloak-extensions-repo	no	❌
keycloak-theme-repo	yes	✅
mariadb-repo	yes	✅
nextcloud-repo	no	❌
opendesk-certificates-repo	yes	✅
opendesk-dovecot-repo	yes	✅
opendesk-element-repo	yes	✅
opendesk-keycloak-bootstrap-repo	yes	✅
opendesk-nextcloud-bootstrap-repo	yes	✅
opendesk-open-xchange-bootstrap-repo	yes	✅
openproject-repo	no	❌
openxchange-repo	yes	❌
ox-connector-repo	no	❌
postfix-repo	yes	✅
postgresql-repo	yes	✅
univention-corporate-container-repo	yes	✅
ums-repo	no	❌
xwiki-repo	no	❌

Kubernetes Security Enforcements

This list gives you an overview of default security settings and if they comply with security standards:

Component	Process	=	allowPrivilegeEscalation (false)	capabilities (drop: ALL)	seccompProfile (RuntimeDefault)	readOnlyRootFilesystem (true)	runAsNonRoot (true)	runAsUser	runAsGroup	fsGroup
ClamAV	clamd	✅	✅	✅	✅	✅	✅	100	101	101
	freshclam	✅	✅	✅	✅	✅	✅	100	101	101
	icap	✅	✅	✅	✅	✅	✅	100	101	101
	milter	✅	✅	✅	✅	✅	✅	100	101	101
Collabora	collabora	❌	❌	❌ (CHOWN, DAC_OVERRIDE, FOWNER, FSETID, KILL, SETGID, SETUID, SETPCAP, NET_BIND_SERVICE, NET_RAW, SYS_CHROOT, MKNOD)	✅	❌	✅	100	101	100
CryptPad	npm	❌	✅	✅	✅	❌	✅	4001	4001	4001
Dovecot	dovecot	❌	✅	❌ (CHOWN, DAC_OVERRIDE, KILL, NET_BIND_SERVICE, SETGID, SETUID, SYS_CHROOT)	✅	✅	❌	-	-	1000
Element	element	✅	✅	✅	✅	✅	✅	101	101	101
	synapse	✅	✅	✅	✅	✅	✅	10991	-	10991
	synapseWeb	✅	✅	✅	✅	✅	✅	101	101	101
	wellKnown	✅	✅	✅	✅	✅	✅	101	101	101
IntercomService	intercom-service	✅	✅	✅	✅	✅	✅	1000	1000	1000
Jitsi	jibri	❌	❌	❌ (SYS_ADMIN)	✅	❌	❌	-	-	-
	jicofo	❌	✅	✅	✅	❌	❌	-	-	-
	jitsiKeycloakAdapter	✅	✅	✅	✅	✅	✅	1993	1993	-
	jvb	❌	✅	✅	✅	❌	❌	-	-	-
	prosody	❌	✅	✅	✅	❌	❌	-	-	-
	web	❌	✅	✅	✅	❌	❌	-	-	-
Keycloak	keycloak	❌	✅	✅	✅	❌	✅	1001	1001	1001
	keycloakConfigCli	✅	✅	✅	✅	✅	✅	1001	1001	1001
	keycloakExtensionHandler	✅	✅	✅	✅	✅	✅	1000	1000	-
	keycloakExtensionProxy	✅	✅	✅	✅	✅	✅	1000	1000	-
MariaDB	mariadb	✅	✅	✅	✅	✅	✅	1001	1001	1001
Memcached	memcached	✅	✅	✅	✅	✅	✅	1001	-	1001
Minio	minio	✅	✅	✅	✅	✅	✅	1000	1000	1000
Nextcloud	nextcloud	❌	✅	❌ (NET_BIND_SERVICE, SETGID, SETUID)	✅	❌	❌	-	-	33
	nextcloud-cron	❌	✅	✅	✅	❌	❌	-	-	33
	opendesk-nextcloud-bootstrap	❌	✅	❌	✅	❌	❌	-	-	33
Open-Xchange	core-documentconverter	❌	✅	✅	✅	❌	✅	987	1000	-
	core-guidedtours	✅	✅	✅	✅	✅	✅	1000	1000	-
	core-imageconverter	❌	✅	✅	✅	❌	✅	987	1000	-
	core-mw-default	❌	❌	❌	❌	❌	❌	-	-	-
	core-ui	✅	✅	✅	✅	✅	✅	1000	1000	-
	core-ui-middleware	✅	✅	✅	✅	✅	✅	1000	1000	-
	core-ui-middleware-updater	✅	✅	✅	✅	✅	✅	1000	1000	-
	core-user-guide	✅	✅	✅	✅	✅	✅	1000	1000	-
	gotenberg	✅	✅	✅	✅	✅	✅	1000	1000	-
	guard-ui	✅	✅	✅	✅	✅	✅	1000	1000	-
	nextlcoud-integration-ui	✅	✅	✅	✅	✅	✅	1000	1000	-
	public-sector-ui	✅	✅	✅	✅	✅	✅	1000	1000	-
OpenProject	openproject	❌	✅	❌	✅	❌	❌	-	-	-
Postfix	postfix	❌	❌	❌	✅	❌	❌	-	-	101
PostgreSQL	postgresql	✅	✅	✅	✅	✅	✅	1001	1001	1001
Redis	redis	❌	✅	✅	✅	✅	✅	1001	0	1001
UCC	univention-corporate-container	❌	❌	❌	❌	❌	❌	-	-	-
XWiki	xwiki	❌	✅	✅	✅	❌	✅	100	101	101
	xwiki initContainers	❌	❌	❌	✅	❌	❌	-	-	101