22 KiB
Security
This document should cover the current status of security measurements.
Helm Chart Trust Chain
Helm Charts which are released via openDesk CI/CD process are always signed. The public GPG keys are present in
pubkey.gpg file and are validated during helmfile installation.
| Repository | OCI | Verifiable |
|---|---|---|
| bitnami-repo (openDesk build) | yes | ✅ |
| clamav-repo | yes | ✅ |
| collabora-online-repo | no | ❌ |
| cryptpad-online-repo | no | ❌ |
| intercom-service-repo | yes | ✅ |
| istio-resources-repo | yes | ✅ |
| jitsi-repo | yes | ✅ |
| keycloak-extensions-repo | no | ❌ |
| keycloak-theme-repo | yes | ✅ |
| mariadb-repo | yes | ✅ |
| nextcloud-repo | no | ❌ |
| opendesk-certificates-repo | yes | ✅ |
| opendesk-dovecot-repo | yes | ✅ |
| opendesk-element-repo | yes | ✅ |
| opendesk-keycloak-bootstrap-repo | yes | ✅ |
| opendesk-nextcloud-bootstrap-repo | yes | ✅ |
| opendesk-open-xchange-bootstrap-repo | yes | ✅ |
| openproject-repo | no | ❌ |
| openxchange-repo | yes | ❌ |
| ox-connector-repo | no | ❌ |
| postfix-repo | yes | ✅ |
| postgresql-repo | yes | ✅ |
| univention-corporate-container-repo | yes | ✅ |
| ums-repo | no | ❌ |
| xwiki-repo | no | ❌ |
Kubernetes Security Enforcements
This list gives you an overview of default security settings and if they comply with security standards:
| Component | Process | = | allowPrivilegeEscalation (false) |
capabilities (drop: ALL) |
seccompProfile (RuntimeDefault) |
readOnlyRootFilesystem (true) |
runAsNonRoot (true) |
runAsUser | runAsGroup | fsGroup |
|---|---|---|---|---|---|---|---|---|---|---|
| ClamAV | clamd | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | 100 | 101 | 101 |
| freshclam | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | 100 | 101 | 101 | |
| icap | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | 100 | 101 | 101 | |
| milter | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | 100 | 101 | 101 | |
| Collabora | collabora | ❌ | ❌ | ❌ (CHOWN, DAC_OVERRIDE, FOWNER, FSETID, KILL, SETGID, SETUID, SETPCAP, NET_BIND_SERVICE, NET_RAW, SYS_CHROOT, MKNOD) |
✅ | ❌ | ✅ | 100 | 101 | 100 |
| CryptPad | npm | ❌ | ✅ | ✅ | ✅ | ❌ | ✅ | 4001 | 4001 | 4001 |
| Dovecot | dovecot | ❌ | ✅ | ❌ (CHOWN, DAC_OVERRIDE, KILL, NET_BIND_SERVICE, SETGID, SETUID, SYS_CHROOT) |
✅ | ✅ | ❌ | - | - | 1000 |
| Element | element | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | 101 | 101 | 101 |
| synapse | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | 10991 | - | 10991 | |
| synapseWeb | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | 101 | 101 | 101 | |
| wellKnown | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | 101 | 101 | 101 | |
| IntercomService | intercom-service | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | 1000 | 1000 | 1000 |
| Jitsi | jibri | ❌ | ❌ | ❌ (SYS_ADMIN) |
✅ | ❌ | ❌ | - | - | - |
| jicofo | ❌ | ✅ | ✅ | ✅ | ❌ | ❌ | - | - | - | |
| jitsiKeycloakAdapter | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | 1993 | 1993 | - | |
| jvb | ❌ | ✅ | ✅ | ✅ | ❌ | ❌ | - | - | - | |
| prosody | ❌ | ✅ | ✅ | ✅ | ❌ | ❌ | - | - | - | |
| web | ❌ | ✅ | ✅ | ✅ | ❌ | ❌ | - | - | - | |
| Keycloak | keycloak | ❌ | ✅ | ✅ | ✅ | ❌ | ✅ | 1001 | 1001 | 1001 |
| keycloakConfigCli | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | 1001 | 1001 | 1001 | |
| keycloakExtensionHandler | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | 1000 | 1000 | - | |
| keycloakExtensionProxy | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | 1000 | 1000 | - | |
| MariaDB | mariadb | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | 1001 | 1001 | 1001 |
| Memcached | memcached | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | 1001 | - | 1001 |
| Minio | minio | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | 1000 | 1000 | 1000 |
| Nextcloud | nextcloud | ❌ | ✅ | ❌ (NET_BIND_SERVICE, SETGID, SETUID) |
✅ | ❌ | ❌ | - | - | 33 |
| nextcloud-cron | ❌ | ✅ | ✅ | ✅ | ❌ | ❌ | - | - | 33 | |
| opendesk-nextcloud-bootstrap | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ | - | - | 33 | |
| Open-Xchange | core-documentconverter | ❌ | ✅ | ✅ | ✅ | ❌ | ✅ | 987 | 1000 | - |
| core-guidedtours | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | 1000 | 1000 | - | |
| core-imageconverter | ❌ | ✅ | ✅ | ✅ | ❌ | ✅ | 987 | 1000 | - | |
| core-mw-default | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | - | - | - | |
| core-ui | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | 1000 | 1000 | - | |
| core-ui-middleware | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | 1000 | 1000 | - | |
| core-ui-middleware-updater | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | 1000 | 1000 | - | |
| core-user-guide | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | 1000 | 1000 | - | |
| gotenberg | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | 1000 | 1000 | - | |
| guard-ui | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | 1000 | 1000 | - | |
| nextlcoud-integration-ui | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | 1000 | 1000 | - | |
| public-sector-ui | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | 1000 | 1000 | - | |
| OpenProject | openproject | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ | - | - | - |
| Postfix | postfix | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | - | - | 101 |
| PostgreSQL | postgresql | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | 1001 | 1001 | 1001 |
| Redis | redis | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ | 1001 | 0 | 1001 |
| UCC | univention-corporate-container | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | - | - | - |
| XWiki | xwiki | ❌ | ✅ | ✅ | ✅ | ❌ | ✅ | 100 | 101 | 101 |
| xwiki initContainers | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | - | - | 101 |
NetworkPolicies
Kubernetes NetworkPolicies are an important measure to secure your kubernetes apps and clusters. When applied, they restrict the traffic to your services. This protects other deployments in your cluster or other services in your deployment to get compromised when one component is compromised.
We ship a default set of Otterize ClientIntents via Otterize intents operator which translates intent-based access control (IBAC) into kubernetes native NetworkPolicies.
This requires the Otterize intents operator to be installed.
security:
otterizeIntents:
enabled: true