mirror of
https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git
synced 2025-12-06 07:21:36 +01:00
c858692e6b
# [1.6.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v1.5.0...v1.6.0) (2025-07-14) ### Bug Fixes * **dovecot-pro:** Use of `requiredEnv` instead of `env` and update `README-EE.md` ([a79e40f](a79e40f44a)) * **helmfile:** Prefix NATS passwords as workaround for upstream issue and add documentation to `gettings-started.md` [[#185](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/185), [#202](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/202)] ([7f478bf](7f478bffd6)) * **helmfile:** Remove default setting from `repositories.helm.registryOpencodeDeEnterprise` for better support of `PRIVATE_HELM_REGISTRY_URL` ([c5dd881](c5dd8814ae)) * **helmfile:** Set `nubusKeycloakBootstrap` debug mode when openDesk is running in debug mode ([4e0ffee](4e0ffeea1f)) * **helmfile:** Streamline license header comment style [[#192](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/192)] ([20cbad3](20cbad31e7)) * **nubus:** Explicitly template `nubusStackDataUms.stackDataContext.portalFqdn` to fix custom hostname support [[#193](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/193)] ([6aa6d3a](6aa6d3af2f)) * **nubus:** Replace openDesk portal fork with upstream `portal-frontend` image ([e4f1afc](e4f1afca0f)) * **nubus:** Update from 1.11.1 to 1.11.2 ([237c9af](237c9af3c1)) * **open-xchange:** Add missing `imagePullSecrets` for `core-imageconverter` and `core-documentconverter` ([9b7f439](9b7f439d83)) * **open-xchange:** Enable `com.openexchange.smime.test` only when openDesk is running with `debug.enabled: true` ([51ff7a5](51ff7a5fdb)) * **open-xchange:** Enable searching by LDAP `mailAlternativeAddress` when resolving global contacts. Note: OX App Suite evaluates all `mailAlternativeAddress` values of a user when searching, but only the first address is returned, which might differ from the one that matched the search criteria. ([9014324](9014324156)) * **open-xchange:** Use `objectstore.dovecot.secretKey` when defined ([5c33226](5c332264ed)) * **opendesk-services:** Add missing certificates ([acbabdb](acbabdb806)) * **openproject:** Update from 16.1.0 to 16.1.1 ([e30d4f1](e30d4f126d)) ### Features * **collabora:** Update from 24.04.13 to 25.04.2 ([c56f564](c56f564025)) * **element:** Update NeoBoard from 2.1.0 to 2.2.1, NeoChoice from 1.5.1. to 1.5.2, NeoDateFix from 1.7.0 to 1.7.1 widgets and NeoDateFixBot from 2.8.2 to 2.8.3 latest releases ([98d31f8](98d31f811b)) * **helmfile:** Add options in `functional.yaml.gotmpl` for setting the portal's corner links, toggling the welcome message and the newsfeed ([1a6f438](1a6f438724)) * **nextcloud:** Update from 30.0.10 to 31.0.6 and support for notify-push ([a4c8be6](a4c8be60f3)) * **nubus:** Update from 1.9.1 to 1.11.1; required minimum openDesk version for this upgrade is 1.5.0, see `migrations.md` for details ([ccd5ab8](ccd5ab84e3)) * **open-xchange:** Store attachments for calendar, contact and task objects in object storage; review `migrations.md` for required upgrade steps ([4eb6570](4eb6570b0a)) * **open-xchange:** Updated OX App Suite from 8.37 to 8.38 ([2b31751](2b317514c6))
12 KiB
12 KiB
Kubernetes Security Context
Container Security Context
The containerSecurityContext is the most important security-related section because it has the highest precedence and restricts the container to its minimal privileges.
allowPrivilegeEscalation
Privilege escalation (such as via set-user-ID or set-group-ID file mode) should not be allowed (Linux only) at any time.
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities
Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability (Linux only).
Optimal:
containerSecurityContext:
capabilities:
drop:
- "ALL"
Allowed:
containerSecurityContext:
capabilities:
drop:
- "ALL"
add:
- "NET_BIND_SERVICE"
privileged
Privileged Pods eliminate most security mechanisms and must be disallowed.
containerSecurityContext:
privileged: false
runAsUser
Containers should set a user id >= 1000 and never use 0 (root) as user.
containerSecurityContext:
runAsUser: 1000
runAsGroup
Containers should set a group id >= 1000 and never use 0 (root) as user.
containerSecurityContext:
runAsGroup: 1000
seccompProfile
The seccompProfile must be explicitly set to one of the allowed values. An unconfined profile and the complete absence of the profile are prohibited.
containerSecurityContext:
seccompProfile:
type: "RuntimeDefault"
or
containerSecurityContext:
seccompProfile:
type: "Localhost"
readOnlyRootFilesystem
Containers should have an immutable file systems, so that attackers can not modify application code or download malicious code.
containerSecurityContext:
readOnlyRootFilesystem: true
runAsNonRoot
Containers must be required to run as non-root users.
containerSecurityContext:
runAsNonRoot: true
Status quo
openDesk aims to ensure that all security relevant settings are explicitly templated and comply with security recommendations.
The rendered manifests are also validated against Kyverno policies in CI to ensure that the provided values inside openDesk are properly templated by the Helm charts.
This list gives you an overview of templated security settings and if they comply with security standards:
- yes: Value is set to
true - no: Value is set to
false - n/a: Not explicitly templated in openDesk; default is used.
| process | status | allowPrivilegeEscalation | privileged | readOnlyRootFilesystem | runAsNonRoot | runAsUser | runAsGroup | seccompProfile | capabilities |
|---|---|---|---|---|---|---|---|---|---|
| collabora/collabora-online | ❌ | yes | no | no | yes | 1001 | 1001 | yes | no ["CHOWN","FOWNER","SYS_CHROOT"] |
| cryptpad/cryptpad | ❌ | no | no | no | yes | 4001 | 4001 | yes | yes |
| element/matrix-neoboard-widget | ✅ | no | no | yes | yes | 101 | 101 | yes | yes |
| element/matrix-neochoice-widget | ✅ | no | no | yes | yes | 101 | 101 | yes | yes |
| element/matrix-neodatefix-bot | ✅ | no | no | yes | yes | 101 | 101 | yes | yes |
| element/matrix-neodatefix-bot-bootstrap | ✅ | no | no | yes | yes | 101 | 101 | yes | yes |
| element/matrix-neodatefix-widget | ✅ | no | no | yes | yes | 101 | 101 | yes | yes |
| element/opendesk-element | ✅ | no | no | yes | yes | 101 | 101 | yes | yes |
| element/opendesk-matrix-user-verification-service | ❌ | no | no | no | yes | 1000 | 1000 | yes | yes |
| element/opendesk-matrix-user-verification-service-bootstrap | ✅ | no | no | yes | yes | 101 | 101 | yes | yes |
| element/opendesk-synapse | ✅ | no | no | yes | yes | 10991 | 10991 | yes | yes |
| element/opendesk-synapse-web | ✅ | no | no | yes | yes | 101 | 101 | yes | yes |
| element/opendesk-well-known | ✅ | no | no | yes | yes | 101 | 101 | yes | yes |
| jitsi/jitsi | ✅ | no | no | yes | yes | 1993 | 1993 | yes | yes |
| jitsi/jitsi/jitsi/jibri | ❌ | n/a | n/a | n/a | n/a | n/a | n/a | n/a | no ["SYS_ADMIN"] |
| jitsi/jitsi/jitsi/jicofo | ❌ | no | no | no | no | 0 | 0 | yes | no |
| jitsi/jitsi/jitsi/jigasi | ❌ | no | no | no | no | 0 | 0 | yes | no |
| jitsi/jitsi/jitsi/jvb | ❌ | no | no | no | no | 0 | 0 | yes | no |
| jitsi/jitsi/jitsi/prosody | ❌ | no | no | no | no | 0 | 0 | yes | no |
| jitsi/jitsi/jitsi/web | ❌ | no | no | no | no | 0 | 0 | yes | no |
| jitsi/jitsi/patchJVB | ✅ | no | no | yes | yes | 1001 | 1001 | yes | yes |
| nextcloud/opendesk-nextcloud-management | ❌ | no | no | no | yes | 101 | 101 | yes | yes |
| nextcloud/opendesk-nextcloud-notifypush | ✅ | no | no | yes | yes | 101 | 101 | yes | yes |
| nextcloud/opendesk-nextcloud/aio | ✅ | no | no | yes | yes | 101 | 101 | yes | yes |
| nextcloud/opendesk-nextcloud/exporter | ✅ | no | no | yes | yes | 65532 | 65532 | yes | yes |
| notes/impress/backend | ✅ | no | no | yes | yes | 1001 | 1001 | yes | yes |
| notes/impress/frontend | ✅ | no | no | yes | yes | 1001 | 1001 | yes | yes |
| notes/impress/yProvider | ✅ | no | no | yes | yes | 1001 | 1001 | yes | yes |
| nubus/intercom-service | ✅ | no | no | yes | yes | 1000 | 1000 | yes | yes |
| nubus/intercom-service/provisioning | ❌ | n/a | n/a | n/a | n/a | n/a | n/a | yes | no |
| nubus/opendesk-keycloak-bootstrap | ✅ | no | no | yes | yes | 1000 | 1000 | yes | yes |
| nubus/ums/keycloak | ❌ | no | n/a | no | yes | 1000 | 1000 | yes | yes |
| nubus/ums/nubusKeycloakBootstrap | ❌ | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
| nubus/ums/nubusKeycloakExtensions/handler | ❌ | n/a | n/a | n/a | n/a | n/a | n/a | yes | no |
| nubus/ums/nubusKeycloakExtensions/proxy | ❌ | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
| nubus/ums/nubusLdapNotifier | ❌ | no | n/a | yes | yes | 101 | 102 | yes | yes |
| nubus/ums/nubusNotificationsApi | ❌ | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
| nubus/ums/nubusPortalConsumer | ❌ | n/a | n/a | n/a | n/a | n/a | n/a | yes | no |
| nubus/ums/nubusPortalFrontend | ❌ | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
| nubus/ums/nubusPortalServer | ❌ | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
| nubus/ums/nubusProvisioning | ❌ | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
| nubus/ums/nubusProvisioning/nats | ❌ | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
| nubus/ums/nubusSelfServiceConsumer | ❌ | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
| nubus/ums/nubusStackDataUms | ❌ | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
| nubus/ums/nubusUdmListener | ❌ | no | n/a | yes | yes | 102 | 65534 | yes | yes |
| nubus/ums/nubusUdmRestApi | ❌ | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
| nubus/ums/nubusUmcGateway | ❌ | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
| nubus/ums/nubusUmcServer | ❌ | no | n/a | yes | yes | 999 | 999 | yes | yes |
| open-xchange/dovecot | ❌ | no | n/a | yes | n/a | n/a | n/a | yes | no ["CHOWN","DAC_OVERRIDE","KILL","NET_BIND_SERVICE","SETGID","SETUID","SYS_CHROOT"] |
| open-xchange/open-xchange/appsuite/core-documentconverter | ❌ | no | no | no | yes | 987 | 1000 | yes | yes |
| open-xchange/open-xchange/appsuite/core-guidedtours | ✅ | no | no | yes | yes | 1000 | 1000 | yes | yes |
| open-xchange/open-xchange/appsuite/core-imageconverter | ❌ | no | no | no | yes | 987 | 1000 | yes | yes |
| open-xchange/open-xchange/appsuite/core-mw/gotenberg | ✅ | no | no | yes | yes | 1001 | 1001 | yes | yes |
| open-xchange/open-xchange/appsuite/core-ui | ✅ | no | no | yes | yes | 1000 | 1000 | yes | yes |
| open-xchange/open-xchange/appsuite/core-ui-middleware | ✅ | no | no | yes | yes | 1000 | 1000 | yes | yes |
| open-xchange/open-xchange/appsuite/core-user-guide | ✅ | no | no | yes | yes | 1000 | 1000 | yes | yes |
| open-xchange/open-xchange/appsuite/guard-ui | ✅ | no | no | yes | yes | 1000 | 1000 | yes | yes |
| open-xchange/open-xchange/nextcloud-integration-ui | ❌ | no | no | no | yes | 1000 | 1000 | yes | yes |
| open-xchange/open-xchange/public-sector-ui | ✅ | no | no | yes | yes | 1000 | 1000 | yes | yes |
| open-xchange/opendesk-open-xchange-bootstrap | ❌ | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
| open-xchange/postfix-ox | ❌ | yes | yes | yes | no | 0 | 0 | yes | no |
| opendesk-migrations-post/opendesk-migrations-post | ✅ | no | no | yes | yes | 1000 | 1000 | yes | yes |
| opendesk-migrations-pre/opendesk-migrations-pre | ✅ | no | no | yes | yes | 1000 | 1000 | yes | yes |
| opendesk-openproject-bootstrap/opendesk-openproject-bootstrap | ✅ | no | no | yes | yes | 1000 | 1000 | yes | yes |
| opendesk-services/opendesk-static-files | ❌ | no | n/a | yes | yes | 101 | 101 | yes | yes |
| openproject/openproject | ✅ | no | no | yes | yes | 1000 | 1000 | yes | yes |
| services-external/cassandra | ✅ | no | no | yes | yes | 1001 | 1001 | yes | yes |
| services-external/clamav | ❌ | no | no | yes | no | 0 | 0 | yes | no |
| services-external/clamav-simple | ✅ | no | no | yes | yes | 100 | 101 | yes | yes |
| services-external/clamav/clamd | ✅ | no | no | yes | yes | 100 | 101 | yes | yes |
| services-external/clamav/freshclam | ✅ | no | no | yes | yes | 100 | 101 | yes | yes |
| services-external/clamav/icap | ✅ | no | no | yes | yes | 100 | 101 | yes | yes |
| services-external/clamav/milter | ✅ | no | no | yes | yes | 100 | 101 | yes | yes |
| services-external/mariadb | ✅ | no | no | yes | yes | 1001 | 1001 | yes | yes |
| services-external/memcached | ✅ | no | no | yes | yes | 1001 | 1001 | yes | yes |
| services-external/minio | ✅ | no | no | yes | yes | 1001 | 1001 | yes | yes |
| services-external/opendesk-dkimpy-milter | ❌ | yes | no | yes | yes | 1000 | 1000 | yes | no |
| services-external/postfix | ❌ | yes | yes | yes | no | 0 | 0 | yes | no |
| services-external/postgresql | ✅ | no | no | yes | yes | 1001 | 1001 | yes | yes |
| services-external/redis/master | ✅ | no | no | yes | yes | 1001 | 1001 | yes | yes |
| xwiki/xwiki | ❌ | no | no | no | yes | 100 | 101 | yes | yes |
This file is auto-generated by openDesk CI CLI