mirror of
https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git
synced 2025-12-06 07:21:36 +01:00
12 KiB
12 KiB
Security
This document should cover the current status of security measurements.
Helm Chart Trust Chain
Helm Charts which are released via openDesk CI/CD process are always signed. The public GPG keys are present in
pubkey.gpg file and are validated during helmfile installation.
| Repository | OCI | Verifiable |
|---|---|---|
| bitnami-repo (openDesk build) | yes | ✅ |
| clamav-repo | yes | ✅ |
| collabora-online-repo | no | ❌ |
| cryptpad-online-repo | no | ❌ |
| intercom-service-repo | yes | ✅ |
| istio-resources-repo | yes | ✅ |
| jitsi-repo | yes | ✅ |
| keycloak-extensions-repo | no | ❌ |
| keycloak-theme-repo | yes | ✅ |
| mariadb-repo | yes | ✅ |
| nextcloud-repo | no | ❌ |
| opendesk-certificates-repo | yes | ✅ |
| opendesk-dovecot-repo | yes | ✅ |
| opendesk-element-repo | yes | ✅ |
| opendesk-keycloak-bootstrap-repo | yes | ✅ |
| opendesk-nextcloud-bootstrap-repo | yes | ✅ |
| opendesk-open-xchange-bootstrap-repo | yes | ✅ |
| openproject-repo | no | ❌ |
| openxchange-repo | yes | ❌ |
| ox-connector-repo | no | ❌ |
| postfix-repo | yes | ✅ |
| postgresql-repo | yes | ✅ |
| univention-corporate-container-repo | yes | ✅ |
| ums-repo | no | ❌ |
| xwiki-repo | no | ❌ |
Kubernetes Security Enforcements
This list gives you an overview of default security settings and if they comply with security standards:
| Component | Process | = | allowPrivilegeEscalation (false) |
capabilities (drop: ALL) |
seccompProfile (RuntimeDefault) |
readOnlyRootFilesystem (true) |
runAsNonRoot (true) |
runAsUser | runAsGroup | fsGroup |
|---|---|---|---|---|---|---|---|---|---|---|
| ClamAV | clamd | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | 100 | 101 | 101 |
| freshclam | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | 100 | 101 | 101 | |
| icap | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | 100 | 101 | 101 | |
| milter | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | 100 | 101 | 101 | |
| Collabora | collabora | ❌ | ❌ | ❌ (CHOWN, DAC_OVERRIDE, FOWNER, FSETID, KILL, SETGID, SETUID, SETPCAP, NET_BIND_SERVICE, NET_RAW, SYS_CHROOT, MKNOD) |
✅ | ❌ | ✅ | 100 | 101 | 100 |
| CryptPad | cryptpad | ❌ | ✅ | ✅ | ✅ | ❌ | ✅ | 4001 | 4001 | 4001 |
| Element | element | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | 101 | 101 | 101 |
| synapse | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | 10991 | - | 10991 | |
| synapseWeb | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | 101 | 101 | 101 | |
| wellKnown | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | 101 | 101 | 101 | |
| Jitsi | jibri | ❌ | ❌ | ❌ (SYS_ADMIN) |
✅ | ❌ | ❌ | - | - | - |
| jicofo | ❌ | ✅ | ✅ | ✅ | ❌ | ❌ | - | - | - | |
| jitsiKeycloakAdapter | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | 1993 | 1993 | - | |
| jvb | ❌ | ✅ | ✅ | ✅ | ❌ | ❌ | - | - | - | |
| prosody | ❌ | ✅ | ✅ | ✅ | ❌ | ❌ | - | - | - | |
| web | ❌ | ✅ | ✅ | ✅ | ❌ | ❌ | - | - | - | |
| Keycloak | keycloak | ❌ | ✅ | ✅ | ✅ | ❌ | ✅ | 1001 | 1001 | 1001 |
| keycloakConfigCli | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | 1001 | 1001 | 1001 | |
| keycloakExtensionHandler | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | 1000 | 1000 | - | |
| keycloakExtensionProxy | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | 1000 | 1000 | - | |
| MariaDB | mariadb | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | 1001 | 1001 | 1001 |
| Memcached | memcached | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | 1001 | - | 1001 |
| Postfix | postfix | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | - | - | 101 |
| OpenProject | openproject | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ | - | - | - |
| PostgreSQL | postgresql | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | 1001 | 1001 | 1001 |