sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-06 15:31:38 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
c858692e6b8c7c0ec0b43b80d22bf46565aa91fb
opendesk/docs/security-context.md
Thorsten Roßner c858692e6b chore(release): 1.6.0 [skip ci] 
# [1.6.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v1.5.0...v1.6.0) (2025-07-14)

### Bug Fixes

* **dovecot-pro:** Use of `requiredEnv` instead of `env` and update `README-EE.md` ([a79e40f](a79e40f44a))
* **helmfile:** Prefix NATS passwords as workaround for upstream issue and add documentation to `gettings-started.md` [[#185](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/185), [#202](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/202)] ([7f478bf](7f478bffd6))
* **helmfile:** Remove default setting from `repositories.helm.registryOpencodeDeEnterprise` for better support of `PRIVATE_HELM_REGISTRY_URL` ([c5dd881](c5dd8814ae))
* **helmfile:** Set `nubusKeycloakBootstrap` debug mode when openDesk is running in debug mode ([4e0ffee](4e0ffeea1f))
* **helmfile:** Streamline license header comment style [[#192](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/192)] ([20cbad3](20cbad31e7))
* **nubus:** Explicitly template `nubusStackDataUms.stackDataContext.portalFqdn` to fix custom hostname support [[#193](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/193)] ([6aa6d3a](6aa6d3af2f))
* **nubus:** Replace openDesk portal fork with upstream `portal-frontend` image ([e4f1afc](e4f1afca0f))
* **nubus:** Update from 1.11.1 to 1.11.2 ([237c9af](237c9af3c1))
* **open-xchange:** Add missing `imagePullSecrets` for `core-imageconverter` and `core-documentconverter` ([9b7f439](9b7f439d83))
* **open-xchange:** Enable `com.openexchange.smime.test` only when openDesk is running with `debug.enabled: true` ([51ff7a5](51ff7a5fdb))
* **open-xchange:** Enable searching by LDAP `mailAlternativeAddress` when resolving global contacts. Note: OX App Suite evaluates all `mailAlternativeAddress` values of a user when searching, but only the first address is returned, which might differ from the one that matched the search criteria. ([9014324](9014324156))
* **open-xchange:** Use `objectstore.dovecot.secretKey` when defined ([5c33226](5c332264ed))
* **opendesk-services:** Add missing certificates ([acbabdb](acbabdb806))
* **openproject:** Update from 16.1.0 to 16.1.1 ([e30d4f1](e30d4f126d))

### Features

* **collabora:** Update from 24.04.13 to 25.04.2 ([c56f564](c56f564025))
* **element:** Update NeoBoard from 2.1.0 to 2.2.1, NeoChoice from 1.5.1. to 1.5.2, NeoDateFix from 1.7.0 to 1.7.1 widgets and NeoDateFixBot from 2.8.2 to 2.8.3 latest releases ([98d31f8](98d31f811b))
* **helmfile:** Add options in `functional.yaml.gotmpl` for setting the portal's corner links, toggling the welcome message and the newsfeed ([1a6f438](1a6f438724))
* **nextcloud:** Update from 30.0.10 to 31.0.6 and support for notify-push ([a4c8be6](a4c8be60f3))
* **nubus:** Update from 1.9.1 to 1.11.1; required minimum openDesk version for this upgrade is 1.5.0, see `migrations.md` for details ([ccd5ab8](ccd5ab84e3))
* **open-xchange:** Store attachments for calendar, contact and task objects in object storage; review `migrations.md` for required upgrade steps ([4eb6570](4eb6570b0a))
* **open-xchange:** Updated OX App Suite from 8.37 to 8.38 ([2b31751](2b317514c6))
2025-07-14 11:19:43 +00:00

234 lines
12 KiB
Markdown
Raw Blame History

<!--
SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
SPDX-License-Identifier: Apache-2.0
-->
<h1>Kubernetes Security Context</h1>
<!-- TOC -->
* [Container Security Context](#container-security-context)
* [allowPrivilegeEscalation](#allowprivilegeescalation)
* [capabilities](#capabilities)
* [privileged](#privileged)
* [runAsUser](#runasuser)
* [runAsGroup](#runasgroup)
* [seccompProfile](#seccompprofile)
* [readOnlyRootFilesystem](#readonlyrootfilesystem)
* [runAsNonRoot](#runasnonroot)
* [Status quo](#status-quo)
<!-- TOC -->
# Container Security Context
The containerSecurityContext is the most important security-related section because it has the highest precedence and restricts the container to its minimal privileges.
## allowPrivilegeEscalation
Privilege escalation (such as via set-user-ID or set-group-ID file mode) should not be allowed (Linux only) at any time.
```yaml
containerSecurityContext:
allowPrivilegeEscalation: false
```
## capabilities
Containers must drop ALL capabilities, and are only permitted to add back the `NET_BIND_SERVICE` capability (Linux only).
**Optimal:**
```yaml
containerSecurityContext:
capabilities:
drop:
- "ALL"
```
**Allowed:**
```yaml
containerSecurityContext:
capabilities:
drop:
- "ALL"
add:
- "NET_BIND_SERVICE"
```
## privileged
Privileged Pods eliminate most security mechanisms and must be disallowed.
```yaml
containerSecurityContext:
privileged: false
```
## runAsUser
Containers should set a user id >= 1000 and never use 0 (root) as user.
```yaml
containerSecurityContext:
runAsUser: 1000
```
## runAsGroup
Containers should set a group id >= 1000 and never use 0 (root) as user.
```yaml
containerSecurityContext:
runAsGroup: 1000
```
## seccompProfile
The seccompProfile must be explicitly set to one of the allowed values. An unconfined profile and the complete absence of the profile are prohibited.
```yaml
containerSecurityContext:
seccompProfile:
type: "RuntimeDefault"
```
or
```yaml
containerSecurityContext:
seccompProfile:
type: "Localhost"
```
## readOnlyRootFilesystem
Containers should have an immutable file systems, so that attackers can not modify application code or download malicious code.
```yaml
containerSecurityContext:
readOnlyRootFilesystem: true
```
## runAsNonRoot
Containers must be required to run as non-root users.
```yaml
containerSecurityContext:
runAsNonRoot: true
```
# Status quo
openDesk aims to ensure that all security relevant settings are explicitly templated and comply with security recommendations.
The rendered manifests are also validated against Kyverno [policies](/.kyverno/policies) in CI to ensure that the provided values inside openDesk are properly templated by the Helm charts.
This list gives you an overview of templated security settings and if they comply with security standards:
- **yes**: Value is set to `true`
- **no**: Value is set to `false`
- **n/a**: Not explicitly templated in openDesk; default is used.
| process | status | allowPrivilegeEscalation | privileged | readOnlyRootFilesystem | runAsNonRoot | runAsUser | runAsGroup | seccompProfile | capabilities |
| ------- | ------ | ------------------------ | ---------- | ---------------------- | ------------ | --------- | ---------- | -------------- | ------------ |
| **collabora**/collabora-online | :x: | yes | no | no | yes | 1001 | 1001 | yes | no ["CHOWN","FOWNER","SYS_CHROOT"] |
| **cryptpad**/cryptpad | :x: | no | no | no | yes | 4001 | 4001 | yes | yes |
| **element**/matrix-neoboard-widget | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
| **element**/matrix-neochoice-widget | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
| **element**/matrix-neodatefix-bot | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
| **element**/matrix-neodatefix-bot-bootstrap | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
| **element**/matrix-neodatefix-widget | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
| **element**/opendesk-element | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
| **element**/opendesk-matrix-user-verification-service | :x: | no | no | no | yes | 1000 | 1000 | yes | yes |
| **element**/opendesk-matrix-user-verification-service-bootstrap | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
| **element**/opendesk-synapse | :white_check_mark: | no | no | yes | yes | 10991 | 10991 | yes | yes |
| **element**/opendesk-synapse-web | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
| **element**/opendesk-well-known | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
| **jitsi**/jitsi | :white_check_mark: | no | no | yes | yes | 1993 | 1993 | yes | yes |
| **jitsi**/jitsi/jitsi/jibri | :x: | n/a | n/a | n/a | n/a | n/a | n/a | n/a | no ["SYS_ADMIN"] |
| **jitsi**/jitsi/jitsi/jicofo | :x: | no | no | no | no | 0 | 0 | yes | no |
| **jitsi**/jitsi/jitsi/jigasi | :x: | no | no | no | no | 0 | 0 | yes | no |
| **jitsi**/jitsi/jitsi/jvb | :x: | no | no | no | no | 0 | 0 | yes | no |
| **jitsi**/jitsi/jitsi/prosody | :x: | no | no | no | no | 0 | 0 | yes | no |
| **jitsi**/jitsi/jitsi/web | :x: | no | no | no | no | 0 | 0 | yes | no |
| **jitsi**/jitsi/patchJVB | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
| **nextcloud**/opendesk-nextcloud-management | :x: | no | no | no | yes | 101 | 101 | yes | yes |
| **nextcloud**/opendesk-nextcloud-notifypush | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
| **nextcloud**/opendesk-nextcloud/aio | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
| **nextcloud**/opendesk-nextcloud/exporter | :white_check_mark: | no | no | yes | yes | 65532 | 65532 | yes | yes |
| **notes**/impress/backend | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
| **notes**/impress/frontend | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
| **notes**/impress/yProvider | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
| **nubus**/intercom-service | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
| **nubus**/intercom-service/provisioning | :x: | n/a | n/a | n/a | n/a | n/a | n/a | yes | no |
| **nubus**/opendesk-keycloak-bootstrap | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
| **nubus**/ums/keycloak | :x: | no | n/a | no | yes | 1000 | 1000 | yes | yes |
| **nubus**/ums/nubusKeycloakBootstrap | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
| **nubus**/ums/nubusKeycloakExtensions/handler | :x: | n/a | n/a | n/a | n/a | n/a | n/a | yes | no |
| **nubus**/ums/nubusKeycloakExtensions/proxy | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
| **nubus**/ums/nubusLdapNotifier | :x: | no | n/a | yes | yes | 101 | 102 | yes | yes |
| **nubus**/ums/nubusNotificationsApi | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
| **nubus**/ums/nubusPortalConsumer | :x: | n/a | n/a | n/a | n/a | n/a | n/a | yes | no |
| **nubus**/ums/nubusPortalFrontend | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
| **nubus**/ums/nubusPortalServer | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
| **nubus**/ums/nubusProvisioning | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
| **nubus**/ums/nubusProvisioning/nats | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
| **nubus**/ums/nubusSelfServiceConsumer | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
| **nubus**/ums/nubusStackDataUms | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
| **nubus**/ums/nubusUdmListener | :x: | no | n/a | yes | yes | 102 | 65534 | yes | yes |
| **nubus**/ums/nubusUdmRestApi | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
| **nubus**/ums/nubusUmcGateway | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
| **nubus**/ums/nubusUmcServer | :x: | no | n/a | yes | yes | 999 | 999 | yes | yes |
| **open-xchange**/dovecot | :x: | no | n/a | yes | n/a | n/a | n/a | yes | no ["CHOWN","DAC_OVERRIDE","KILL","NET_BIND_SERVICE","SETGID","SETUID","SYS_CHROOT"] |
| **open-xchange**/open-xchange/appsuite/core-documentconverter | :x: | no | no | no | yes | 987 | 1000 | yes | yes |
| **open-xchange**/open-xchange/appsuite/core-guidedtours | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
| **open-xchange**/open-xchange/appsuite/core-imageconverter | :x: | no | no | no | yes | 987 | 1000 | yes | yes |
| **open-xchange**/open-xchange/appsuite/core-mw/gotenberg | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
| **open-xchange**/open-xchange/appsuite/core-ui | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
| **open-xchange**/open-xchange/appsuite/core-ui-middleware | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
| **open-xchange**/open-xchange/appsuite/core-user-guide | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
| **open-xchange**/open-xchange/appsuite/guard-ui | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
| **open-xchange**/open-xchange/nextcloud-integration-ui | :x: | no | no | no | yes | 1000 | 1000 | yes | yes |
| **open-xchange**/open-xchange/public-sector-ui | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
| **open-xchange**/opendesk-open-xchange-bootstrap | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
| **open-xchange**/postfix-ox | :x: | yes | yes | yes | no | 0 | 0 | yes | no |
| **opendesk-migrations-post**/opendesk-migrations-post | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
| **opendesk-migrations-pre**/opendesk-migrations-pre | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
| **opendesk-openproject-bootstrap**/opendesk-openproject-bootstrap | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
| **opendesk-services**/opendesk-static-files | :x: | no | n/a | yes | yes | 101 | 101 | yes | yes |
| **openproject**/openproject | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
| **services-external**/cassandra | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
| **services-external**/clamav | :x: | no | no | yes | no | 0 | 0 | yes | no |
| **services-external**/clamav-simple | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
| **services-external**/clamav/clamd | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
| **services-external**/clamav/freshclam | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
| **services-external**/clamav/icap | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
| **services-external**/clamav/milter | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
| **services-external**/mariadb | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
| **services-external**/memcached | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
| **services-external**/minio | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
| **services-external**/opendesk-dkimpy-milter | :x: | yes | no | yes | yes | 1000 | 1000 | yes | no |
| **services-external**/postfix | :x: | yes | yes | yes | no | 0 | 0 | yes | no |
| **services-external**/postgresql | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
| **services-external**/redis/master | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
| **xwiki**/xwiki | :x: | no | no | no | yes | 100 | 101 | yes | yes |
This file is auto-generated by [openDesk CI CLI](https://gitlab.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli)
Reference in New Issue View Git Blame Copy Permalink