opendesk/docs/security.md

Security

This document should cover the current status of security measurements.

• Helm Chart Trust Chain
• Kubernetes Security Enforcements
• NetworkPolicies

Helm Chart Trust Chain

Helm charts are signed and validated against GPG keys which could be found in helmfile/files/gpg-pubkeys.

All charts except these are verifiable:

Repository	Verifiable
collabora-repo	no
open-xchange-repo	no

Kubernetes Security Enforcements

This list gives you an overview of default security settings and if they comply with security standards:

Component	Process	=	allowPrivilegeEscalation (false)	capabilities (drop: ALL)	seccompProfile (RuntimeDefault)	readOnlyRootFilesystem (true)	runAsNonRoot (true)	runAsUser	runAsGroup	fsGroup
ClamAV	clamd	✅	✅	✅	✅	✅	✅	100	101	101
	freshclam	✅	✅	✅	✅	✅	✅	100	101	101
	icap	✅	✅	✅	✅	✅	✅	100	101	101
	milter	✅	✅	✅	✅	✅	✅	100	101	101
Collabora	collabora	❌	❌	❌ (CHOWN, DAC_OVERRIDE, FOWNER, FSETID, KILL, SETGID, SETUID, SETPCAP, NET_BIND_SERVICE, NET_RAW, SYS_CHROOT, MKNOD)	✅	❌	✅	100	101	100
CryptPad	cryptpad	❌	✅	✅	✅	❌	✅	4001	4001	4001
Dovecot	dovecot	❌	✅	❌ (CHOWN, DAC_OVERRIDE, KILL, NET_BIND_SERVICE, SETGID, SETUID, SYS_CHROOT)	✅	✅	❌	-	-	1000
Element	element	✅	✅	✅	✅	✅	✅	101	101	101
	synapse	✅	✅	✅	✅	✅	✅	10991	-	10991
	synapseWeb	✅	✅	✅	✅	✅	✅	101	101	101
	wellKnown	✅	✅	✅	✅	✅	✅	101	101	101
IntercomService	intercom-service	✅	✅	✅	✅	✅	✅	1000	1000	1000
Jitsi	jibri	❌	❌	❌ (SYS_ADMIN)	✅	❌	❌	-	-	-
	jicofo	❌	✅	✅	✅	❌	❌	-	-	-
	jitsiKeycloakAdapter	✅	✅	✅	✅	✅	✅	1993	1993	-
	jvb	❌	✅	✅	✅	❌	❌	-	-	-
	prosody	❌	✅	✅	✅	❌	❌	-	-	-
	web	❌	✅	✅	✅	❌	❌	-	-	-
MariaDB	mariadb	✅	✅	✅	✅	✅	✅	1001	1001	1001
Memcached	memcached	✅	✅	✅	✅	✅	✅	1001	-	1001
Minio	minio	✅	✅	✅	✅	✅	✅	1000	1000	1000
Nextcloud	opendesk-nextcloud-apache2	✅	✅	✅	✅	✅	✅	65532	65532	65532
	opendesk-nextcloud-cron	✅	✅	✅	✅	✅	✅	65532	65532	65532
	opendesk-nextcloud-exporter	✅	✅	✅	✅	✅	✅	65532	65532	65532
	opendesk-nextcloud-management	❌	✅	✅	✅	❌	✅	65532	65532	65532
	opendesk-nextcloud-php	✅	✅	✅	✅	✅	✅	65532	65532	65532
Open-Xchange	core-documentconverter	❌	✅	✅	✅	❌	✅	987	1000	-
	core-guidedtours	✅	✅	✅	✅	✅	✅	1000	1000	-
	core-imageconverter	❌	✅	✅	✅	❌	✅	987	1000	-
	core-mw-default	❌	❌	❌	❌	❌	❌	-	-	-
	core-ui	✅	✅	✅	✅	✅	✅	1000	1000	-
	core-ui-middleware	✅	✅	✅	✅	✅	✅	1000	1000	-
	core-ui-middleware-updater	✅	✅	✅	✅	✅	✅	1000	1000	-
	core-user-guide	✅	✅	✅	✅	✅	✅	1000	1000	-
	gotenberg	✅	✅	✅	✅	✅	✅	1000	1000	-
	guard-ui	✅	✅	✅	✅	✅	✅	1000	1000	-
	nextlcoud-integration-ui	✅	✅	✅	✅	✅	✅	1000	1000	-
	public-sector-ui	✅	✅	✅	✅	✅	✅	1000	1000	-
OpenProject	openproject	✅	✅	✅	✅	✅	✅	1000	1000	1000
	opendeskOpenprojectBootstrap	✅	✅	✅	✅	✅	✅	1000	1000	1000
Postfix	postfix	❌	❌	❌	✅	❌	❌	-	-	101
PostgreSQL	postgresql	✅	✅	✅	✅	✅	✅	1001	1001	1001
Redis	redis	❌	✅	✅	✅	✅	✅	1001	0	1001
Univention Management Stack	guardian-authorization-api	❌	✅	❌ (CHOWN, DAC_OVERRIDE, FOWNER, FSETID, KILL, SETGID, SETUID, SETPCAP, NET_BIND_SERVICE, NET_RAW, SYS_CHROOT)	✅	❌	❌	-	-	-
	guardian-management-api	❌	✅	❌ (CHOWN, DAC_OVERRIDE, FOWNER, FSETID, KILL, SETGID, SETUID, SETPCAP, NET_BIND_SERVICE, NET_RAW, SYS_CHROOT)	✅	❌	❌	-	-	-
	guardian-management-ui	❌	✅	❌ (CHOWN, DAC_OVERRIDE, FOWNER, FSETID, KILL, SETGID, SETUID, SETPCAP, NET_BIND_SERVICE, NET_RAW, SYS_CHROOT)	✅	❌	❌	-	-	-
	keycloak	❌	✅	✅	✅	❌	✅	1000	1000	1000
	keycloak-bootstrap	❌	✅	✅	✅	❌	✅	1000	1000	1000
	keycloak-extension-handler	✅	✅	✅	✅	✅	✅	1000	1000	-
	keycloak-extension-proxy	✅	✅	✅	✅	✅	✅	1000	1000	-
	ldap-notifier	❌	✅	✅	✅	❌	❌	-	-	-
	ldap-server	❌	✅	❌ (CHOWN, DAC_OVERRIDE, FOWNER, FSETID, KILL, SETGID, SETUID, SETPCAP, NET_BIND_SERVICE, NET_RAW, SYS_CHROOT)	✅	❌	❌	-	-	-
	notifications-api	❌	✅	✅	✅	❌	❌	-	-	-
	opendesk-keycloak-bootstrap	✅	✅	✅	✅	✅	✅	1000	1000	1000
	open-policy-agent	❌	✅	❌ (CHOWN, DAC_OVERRIDE, FOWNER, FSETID, KILL, SETGID, SETUID, SETPCAP, NET_BIND_SERVICE, NET_RAW, SYS_CHROOT)	✅	❌	❌	-	-	-
	portal-frontend	❌	✅	❌ (CHOWN, DAC_OVERRIDE, FOWNER, FSETID, KILL, SETGID, SETUID, SETPCAP, NET_BIND_SERVICE, NET_RAW, SYS_CHROOT)	✅	❌	❌	-	-	-
	portal-listener	❌	✅	❌ (CHOWN, DAC_OVERRIDE, FOWNER, FSETID, KILL, SETGID, SETUID, SETPCAP, NET_BIND_SERVICE, NET_RAW, SYS_CHROOT)	✅	❌	❌	-	-	-
	portal-server	❌	✅	❌ (CHOWN, DAC_OVERRIDE, FOWNER, FSETID, KILL, SETGID, SETUID, SETPCAP, NET_BIND_SERVICE, NET_RAW, SYS_CHROOT)	✅	❌	❌	-	-	-
	provisioning-api	❌	✅	✅	✅	❌	❌	-	-	-
	selfservice-listener	❌	✅	❌ (CHOWN, DAC_OVERRIDE, FOWNER, FSETID, KILL, SETGID, SETUID, SETPCAP, NET_BIND_SERVICE, NET_RAW, SYS_CHROOT)	✅	❌	❌	-	-	-
	stack-gateway	✅	✅	✅	✅	✅	✅	1001	1001	1001
	store-dav	❌	✅	❌ (CHOWN, DAC_OVERRIDE, FOWNER, FSETID, KILL, SETGID, SETUID, SETPCAP, NET_BIND_SERVICE, NET_RAW, SYS_CHROOT)	✅	❌	❌	-	-	-
	udm-rest-api	❌	✅	❌ (CHOWN, DAC_OVERRIDE, FOWNER, FSETID, KILL, SETGID, SETUID, SETPCAP, NET_BIND_SERVICE, NET_RAW, SYS_CHROOT)	✅	❌	❌	-	-	-
	umc-gateway	❌	✅	❌ (CHOWN, DAC_OVERRIDE, FOWNER, FSETID, KILL, SETGID, SETUID, SETPCAP, NET_BIND_SERVICE, NET_RAW, SYS_CHROOT)	✅	❌	❌	-	-	-
	umc-server	❌	✅	❌ (CHOWN, DAC_OVERRIDE, FOWNER, FSETID, KILL, SETGID, SETUID, SETPCAP, NET_BIND_SERVICE, NET_RAW, SYS_CHROOT)	✅	❌	❌	-	-	-
XWiki	xwiki	❌	✅	✅	✅	❌	✅	100	101	101
	xwiki initContainers	❌	❌	❌	✅	❌	❌	-	-	101

NetworkPolicies

Kubernetes NetworkPolicies are an important measure to secure your kubernetes apps and clusters. When applied, they restrict the traffic to your services. This protects other deployments in your cluster or other services in your deployment to get compromised when one component is compromised.

We ship a default set of Otterize ClientIntents via Otterize intents operator which translates intent-based access control (IBAC) into kubernetes native NetworkPolicies.

This requires the Otterize intents operator to be installed.

security:
  otterizeIntents:
    enabled: true