mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-06 07:21:36 +01:00

Files

Thorsten Roßner 9980d50dce chore(release): 1.7.0 [skip ci]

# [1.7.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v1.6.0...v1.7.0) (2025-08-11)

### Bug Fixes

* **collabora:** Connect to Collabora Controller websocket via service ([5d01f60](5d01f6023d))
* **collabora:** Update from 25.04.2 to 25.04.3 ([3507c62](3507c62f83))
* **helmfile:** Adds default-enterprise-overrides to default values in helmfile-generic ([672e649](672e649b60))
* **nextcloud:** Block filesystem-unsafe characters in file and folder names ([0df6212](0df6212ca9))
* **nextcloud:** Include latest Helm chart version with supports `configuration.sharing.restrictUserEnumerationToGroup` ([c3dfa2a](c3dfa2a607))
* **notes:** Set Pod Disruption Budget (PDB) labels ([e35dac0](e35dac087a))
* **nubus:** Add `livenessProbe` for `nubusUdmListener` to mitigate cases where the listener becomes uninitialized and stops forwarding provisioning data to NATS. Temporary until upstream provides a probe ([ef8d67f](ef8d67f3c1))
* **open-xchange:** Disable documents role ([573e11f](573e11f5c5))
* **open-xchange:** Postfix to support submissions and external secrets ([13ab665](13ab665900))
* **open-xchange:** Support application specific passwords in groupware when CalDAV/CardDAV support is enabled, see `functional.groupware.davSupport.enabled` for reference ([90b2290](90b22904da))
* **open-xchange:** Use dedicated pod for migration ([6fd52b1](6fd52b167e))
* **opendesk-certificates:** Update Helm chart to remove default host for `webmail` being set even if OX App Suite is not enabled ([09a0aac](09a0aace45))
* **opendesk-services:** Update opendesk-alerts from 1.1.1 to 1.1.2, update opendesk-dashboards from 1.1.1 to 1.1.2 ([174d4fc](174d4fc61c))
* **openproject:** Update from 16.2.0 to 16.2.1 ([bba9b71](bba9b716a3))
* **ox-connector:** Update OX Connector and OX Extension to v0.27.2; review `migrations.md` for required upgrade steps ([9d51e40](9d51e40063))

### Features

* **nextcloud:** Enhance theming options for Nextcloud ([bdc7331](bdc7331cb5))
* **notes:** Switch to new Helm chart with support for self-signed deployments; review `migrations.md` for required upgrade steps ([3106ca7](3106ca793e))
* **nubus:** Allow configuration of limits for password reset requests via `security.passwordResetLimits` ([09f54b4](09f54b4134))
* **nubus:** Update from 1.11.2 to 1.12.0 ([5537dbb](5537dbbd7c))
* **open-xchange:** Update from 8.38 to 8.39 ([489986e](489986e906))
* **open-xchange:** Use internal endpoint for provisioning and support for optionally spinning up a dedicated internal Pod just for provisioning (see `technial.oxAppSuite.provisioning.dedicatedCoreMwPod` for details) ([31b7ec7](31b7ec7827))
* **openproject:** Update from 16.1.1 to 16.2.0 ([e273abb](e273abbecf))

2025-08-11 05:22:15 +00:00

12 KiB

Raw Blame History

Kubernetes Security Context

Container Security Context
Status quo

Container Security Context

The containerSecurityContext is the most important security-related section because it has the highest precedence and restricts the container to its minimal privileges.

allowPrivilegeEscalation

Privilege escalation (such as via set-user-ID or set-group-ID file mode) should not be allowed (Linux only) at any time.

containerSecurityContext:
  allowPrivilegeEscalation: false

capabilities

Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability (Linux only).

Optimal:

containerSecurityContext:
  capabilities:
    drop:
      - "ALL"

Allowed:

containerSecurityContext:
  capabilities:
    drop:
      - "ALL"
    add:
      - "NET_BIND_SERVICE"

privileged

Privileged Pods eliminate most security mechanisms and must be disallowed.

containerSecurityContext:
  privileged: false

runAsUser

Containers should set a user id >= 1000 and never use 0 (root) as user.

containerSecurityContext:
  runAsUser: 1000

runAsGroup

Containers should set a group id >= 1000 and never use 0 (root) as user.

containerSecurityContext:
  runAsGroup: 1000

seccompProfile

The seccompProfile must be explicitly set to one of the allowed values. An unconfined profile and the complete absence of the profile are prohibited.

containerSecurityContext:
  seccompProfile:
    type: "RuntimeDefault"

containerSecurityContext:
  seccompProfile:
    type: "Localhost"

readOnlyRootFilesystem

Containers should have an immutable file systems, so that attackers can not modify application code or download malicious code.

containerSecurityContext:
  readOnlyRootFilesystem: true

runAsNonRoot

Containers must be required to run as non-root users.

containerSecurityContext:
  runAsNonRoot: true

Status quo

openDesk aims to ensure that all security relevant settings are explicitly templated and comply with security recommendations.

The rendered manifests are also validated against Kyverno policies in CI to ensure that the provided values inside openDesk are properly templated by the Helm charts.

This list gives you an overview of templated security settings and if they comply with security standards:

yes: Value is set to true
no: Value is set to false
n/a: Not explicitly templated in openDesk; default is used.

process	status	allowPrivilegeEscalation	privileged	readOnlyRootFilesystem	runAsNonRoot	runAsUser	runAsGroup	seccompProfile	capabilities
collabora/collabora-online	❌	yes	no	no	yes	1001	1001	yes	no ["CHOWN","FOWNER","SYS_CHROOT"]
cryptpad/cryptpad	❌	no	no	no	yes	4001	4001	yes	yes
element/matrix-neoboard-widget	✅	no	no	yes	yes	101	101	yes	yes
element/matrix-neochoice-widget	✅	no	no	yes	yes	101	101	yes	yes
element/matrix-neodatefix-bot	✅	no	no	yes	yes	101	101	yes	yes
element/matrix-neodatefix-bot-bootstrap	✅	no	no	yes	yes	101	101	yes	yes
element/matrix-neodatefix-widget	✅	no	no	yes	yes	101	101	yes	yes
element/opendesk-element	✅	no	no	yes	yes	101	101	yes	yes
element/opendesk-matrix-user-verification-service	❌	no	no	no	yes	1000	1000	yes	yes
element/opendesk-matrix-user-verification-service-bootstrap	✅	no	no	yes	yes	101	101	yes	yes
element/opendesk-synapse	✅	no	no	yes	yes	10991	10991	yes	yes
element/opendesk-synapse-web	✅	no	no	yes	yes	101	101	yes	yes
element/opendesk-well-known	✅	no	no	yes	yes	101	101	yes	yes
jitsi/jitsi	✅	no	no	yes	yes	1993	1993	yes	yes
jitsi/jitsi/jitsi/jibri	❌	n/a	n/a	n/a	n/a	n/a	n/a	n/a	no ["SYS_ADMIN"]
jitsi/jitsi/jitsi/jicofo	❌	no	no	no	no	0	0	yes	no
jitsi/jitsi/jitsi/jigasi	❌	no	no	no	no	0	0	yes	no
jitsi/jitsi/jitsi/jvb	❌	no	no	no	no	0	0	yes	no
jitsi/jitsi/jitsi/prosody	❌	no	no	no	no	0	0	yes	no
jitsi/jitsi/jitsi/web	❌	no	no	no	no	0	0	yes	no
jitsi/jitsi/patchJVB	✅	no	no	yes	yes	1001	1001	yes	yes
nextcloud/opendesk-nextcloud-management	❌	no	no	no	yes	101	101	yes	yes
nextcloud/opendesk-nextcloud-notifypush	✅	no	no	yes	yes	101	101	yes	yes
nextcloud/opendesk-nextcloud/aio	✅	no	no	yes	yes	101	101	yes	yes
nextcloud/opendesk-nextcloud/exporter	✅	no	no	yes	yes	65532	65532	yes	yes
notes/impress/backend	❌	n/a	n/a	n/a	n/a	n/a	n/a	n/a	no
notes/impress/frontend	❌	n/a	n/a	n/a	n/a	n/a	n/a	n/a	no
notes/impress/y-provider	❌	n/a	n/a	n/a	n/a	n/a	n/a	n/a	no
nubus/intercom-service	✅	no	no	yes	yes	1000	1000	yes	yes
nubus/intercom-service/provisioning	❌	n/a	n/a	n/a	n/a	n/a	n/a	yes	no
nubus/opendesk-keycloak-bootstrap	✅	no	no	yes	yes	1000	1000	yes	yes
nubus/ums/keycloak	❌	no	n/a	no	yes	1000	1000	yes	yes
nubus/ums/nubusKeycloakBootstrap	❌	no	n/a	yes	yes	1000	1000	yes	yes
nubus/ums/nubusKeycloakExtensions/handler	❌	n/a	n/a	n/a	n/a	n/a	n/a	yes	no
nubus/ums/nubusKeycloakExtensions/proxy	❌	no	n/a	yes	yes	1000	1000	yes	yes
nubus/ums/nubusLdapNotifier	❌	no	n/a	yes	yes	101	102	yes	yes
nubus/ums/nubusNotificationsApi	❌	no	n/a	yes	yes	1000	1000	yes	yes
nubus/ums/nubusPortalConsumer	❌	n/a	n/a	n/a	n/a	n/a	n/a	yes	no
nubus/ums/nubusPortalFrontend	❌	no	n/a	yes	yes	1000	1000	yes	yes
nubus/ums/nubusPortalServer	❌	no	n/a	yes	yes	1000	1000	yes	yes
nubus/ums/nubusProvisioning	❌	no	n/a	yes	yes	1000	1000	yes	yes
nubus/ums/nubusProvisioning/nats	❌	no	n/a	yes	yes	1000	1000	yes	yes
nubus/ums/nubusSelfServiceConsumer	❌	no	n/a	yes	yes	1000	1000	yes	yes
nubus/ums/nubusStackDataUms	❌	no	n/a	yes	yes	1000	1000	yes	yes
nubus/ums/nubusUdmListener	❌	no	n/a	yes	yes	102	65534	yes	yes
nubus/ums/nubusUdmRestApi	❌	no	n/a	yes	yes	1000	1000	yes	yes
nubus/ums/nubusUmcGateway	❌	no	n/a	yes	yes	1000	1000	yes	yes
nubus/ums/nubusUmcServer	❌	no	n/a	yes	yes	999	999	yes	yes
open-xchange/dovecot	❌	no	n/a	yes	n/a	n/a	n/a	yes	no ["CHOWN","DAC_OVERRIDE","KILL","NET_BIND_SERVICE","SETGID","SETUID","SYS_CHROOT"]
open-xchange/open-xchange/appsuite/core-documentconverter	❌	no	no	no	yes	987	1000	yes	yes
open-xchange/open-xchange/appsuite/core-guidedtours	✅	no	no	yes	yes	1000	1000	yes	yes
open-xchange/open-xchange/appsuite/core-imageconverter	❌	no	no	no	yes	987	1000	yes	yes
open-xchange/open-xchange/appsuite/core-mw/gotenberg	✅	no	no	yes	yes	1001	1001	yes	yes
open-xchange/open-xchange/appsuite/core-ui	✅	no	no	yes	yes	1000	1000	yes	yes
open-xchange/open-xchange/appsuite/core-ui-middleware	✅	no	no	yes	yes	1000	1000	yes	yes
open-xchange/open-xchange/appsuite/core-user-guide	✅	no	no	yes	yes	1000	1000	yes	yes
open-xchange/open-xchange/appsuite/guard-ui	✅	no	no	yes	yes	1000	1000	yes	yes
open-xchange/open-xchange/nextcloud-integration-ui	❌	no	no	no	yes	1000	1000	yes	yes
open-xchange/open-xchange/public-sector-ui	✅	no	no	yes	yes	1000	1000	yes	yes
open-xchange/opendesk-open-xchange-bootstrap	❌	no	n/a	yes	yes	1000	1000	yes	yes
open-xchange/postfix-ox	❌	yes	yes	yes	no	0	0	yes	no
opendesk-migrations-post/opendesk-migrations-post	✅	no	no	yes	yes	1000	1000	yes	yes
opendesk-migrations-pre/opendesk-migrations-pre	✅	no	no	yes	yes	1000	1000	yes	yes
opendesk-openproject-bootstrap/opendesk-openproject-bootstrap	✅	no	no	yes	yes	1000	1000	yes	yes
opendesk-services/opendesk-static-files	❌	no	n/a	yes	yes	101	101	yes	yes
openproject/openproject	✅	no	no	yes	yes	1000	1000	yes	yes
services-external/cassandra	✅	no	no	yes	yes	1001	1001	yes	yes
services-external/clamav	❌	no	no	yes	no	0	0	yes	no
services-external/clamav-simple	✅	no	no	yes	yes	100	101	yes	yes
services-external/clamav/clamd	✅	no	no	yes	yes	100	101	yes	yes
services-external/clamav/freshclam	✅	no	no	yes	yes	100	101	yes	yes
services-external/clamav/icap	✅	no	no	yes	yes	100	101	yes	yes
services-external/clamav/milter	✅	no	no	yes	yes	100	101	yes	yes
services-external/mariadb	✅	no	no	yes	yes	1001	1001	yes	yes
services-external/memcached	✅	no	no	yes	yes	1001	1001	yes	yes
services-external/minio	✅	no	no	yes	yes	1001	1001	yes	yes
services-external/opendesk-dkimpy-milter	❌	yes	no	yes	yes	1000	1000	yes	no
services-external/postfix	❌	yes	yes	yes	no	0	0	yes	no
services-external/postgresql	✅	no	no	yes	yes	1001	1001	yes	yes
services-external/redis/master	✅	no	no	yes	yes	1001	1001	yes	yes
xwiki/xwiki	❌	no	no	no	yes	100	101	yes	yes

This file is auto-generated by openDesk CI CLI

12 KiB Raw Blame History