sheppy/opendesk

Fork 0

mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-06 15:31:38 +01:00

Files

Thorsten Roßner ef1dad7433 fix(helmfile): Move Intercom-Service to Nubus component.

2024-09-30 19:05:01 +02:00

11 KiB

Raw Blame History

Kubernetes Security Context

Container Security Context
Status quo

Container Security Context

The containerSecurityContext is the most important security-related section because it has the highest precedence and restricts the container to its minimal privileges.

allowPrivilegeEscalation

Privilege escalation (such as via set-user-ID or set-group-ID file mode) should not be allowed (Linux only) at any time.

containerSecurityContext:
  allowPrivilegeEscalation: false

capabilities

Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability (Linux only).

Optimal:

containerSecurityContext:
  capabilities:
    drop:
      - "ALL"

Allowed:

containerSecurityContext:
  capabilities:
    drop:
      - "ALL"
    add:
      - "NET_BIND_SERVICE"

privileged

Privileged Pods disable most security mechanisms and must be disallowed.

containerSecurityContext:
  privileged: false

runAsUser

Containers should set a user id >= 1000 and never use 0 (root) as user.

containerSecurityContext:
  runAsUser: 1000

runAsGroup

Containers should set a group id >= 1000 and never use 0 (root) as user.

containerSecurityContext:
  runAsGroup: 1000

seccompProfile

Seccomp profile must be explicitly set to one of the allowed values. An unconfined profile and the complete absence of the profile are prohibited.

containerSecurityContext:
  seccompProfile:
    type: "RuntimeDefault"

containerSecurityContext:
  seccompProfile:
    type: "Localhost"

readOnlyRootFilesystem

Containers should have an immutable file systems, so that attackers could not modify application code or download malicious code.

containerSecurityContext:
  readOnlyRootFilesystem: true

runAsNonRoot

Containers must be required to run as non-root users.

containerSecurityContext:
  runAsNonRoot: true

Status quo

openDesk aims to achieve that all security relevant settings are explicitly templated and comply with security recommendations.

The rendered manifests are also validated against Kyverno policies in CI to ensure that the provided values inside openDesk are also properly templated by the given Helm charts.

This list gives you an overview of templated security settings and if they comply with security standards:

yes: Value is set to true
no: Value is set to false
n/a: No explicitly templated in openDesk and default is used.

process	status	allowPrivilegeEscalation	privileged	readOnlyRootFilesystem	runAsNonRoot	runAsUser	runAsGroup	seccompProfile	capabilities
collabora/collabora-online	❌	yes	no	no	yes	100	101	yes	no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT","MKNOD"]
cryptpad/cryptpad	❌	no	no	no	yes	4001	4001	yes	yes
element/matrix-neoboard-widget	✅	no	no	yes	yes	101	101	yes	yes
element/matrix-neochoice-widget	✅	no	no	yes	yes	101	101	yes	yes
element/matrix-neodatefix-bot	✅	no	no	yes	yes	101	101	yes	yes
element/matrix-neodatefix-bot-bootstrap	✅	no	no	yes	yes	101	101	yes	yes
element/matrix-neodatefix-widget	✅	no	no	yes	yes	101	101	yes	yes
element/opendesk-element	✅	no	no	yes	yes	101	101	yes	yes
element/opendesk-matrix-user-verification-service	❌	no	no	no	no	0	0	yes	yes
element/opendesk-matrix-user-verification-service-bootstrap	✅	no	no	yes	yes	101	101	yes	yes
element/opendesk-synapse	✅	no	no	yes	yes	10991	10991	yes	yes
element/opendesk-synapse-web	✅	no	no	yes	yes	101	101	yes	yes
element/opendesk-well-known	✅	no	no	yes	yes	101	101	yes	yes
jitsi/jitsi	✅	no	no	yes	yes	1993	1993	yes	yes
jitsi/jitsi/jitsi/jibri	❌	n/a	n/a	n/a	n/a	n/a	n/a	n/a	no ["SYS_ADMIN"]
jitsi/jitsi/jitsi/jicofo	❌	no	no	no	no	0	0	yes	no
jitsi/jitsi/jitsi/jvb	❌	no	no	no	no	0	0	yes	no
jitsi/jitsi/jitsi/prosody	❌	no	no	no	no	0	0	yes	no
jitsi/jitsi/jitsi/web	❌	no	no	no	no	0	0	yes	no
jitsi/jitsi/patchJVB	✅	no	no	yes	yes	1001	1001	yes	yes
nextcloud/opendesk-nextcloud-management	❌	no	no	no	yes	65532	65532	yes	yes
nextcloud/opendesk-nextcloud/apache2	✅	no	no	yes	yes	65532	65532	yes	yes
nextcloud/opendesk-nextcloud/exporter	✅	no	no	yes	yes	65532	65532	yes	yes
nextcloud/opendesk-nextcloud/php	✅	no	no	yes	yes	65532	65532	yes	yes
open-xchange/dovecot	❌	no	n/a	yes	n/a	n/a	n/a	yes	no ["CHOWN","DAC_OVERRIDE","KILL","NET_BIND_SERVICE","SETGID","SETUID","SYS_CHROOT"]
open-xchange/open-xchange/appsuite/core-documentconverter	❌	no	no	no	yes	987	1000	yes	yes
open-xchange/open-xchange/appsuite/core-guidedtours	✅	no	no	yes	yes	1000	1000	yes	yes
open-xchange/open-xchange/appsuite/core-imageconverter	❌	no	no	no	yes	987	1000	yes	yes
open-xchange/open-xchange/appsuite/core-mw/gotenberg	✅	no	no	yes	yes	1001	1001	yes	yes
open-xchange/open-xchange/appsuite/core-ui	✅	no	no	yes	yes	1000	1000	yes	yes
open-xchange/open-xchange/appsuite/core-ui-middleware	✅	no	no	yes	yes	1000	1000	yes	yes
open-xchange/open-xchange/appsuite/core-user-guide	✅	no	no	yes	yes	1000	1000	yes	yes
open-xchange/open-xchange/appsuite/guard-ui	✅	no	no	yes	yes	1000	1000	yes	yes
open-xchange/open-xchange/nextcloud-integration-ui	❌	no	no	no	yes	1000	1000	yes	yes
open-xchange/open-xchange/public-sector-ui	✅	no	no	yes	yes	1000	1000	yes	yes
openproject/openproject	✅	no	no	yes	yes	1000	1000	yes	yes
openproject-bootstrap/opendesk-openproject-bootstrap	✅	no	no	yes	yes	1000	1000	yes	yes
open-xchange/ox-connector	❌	no	no	no	no	0	0	yes	no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"]
services/clamav	❌	no	no	yes	no	0	0	yes	no
services/clamav-simple	✅	no	no	yes	yes	100	101	yes	yes
services/clamav/clamd	✅	no	no	yes	yes	100	101	yes	yes
services/clamav/freshclam	✅	no	no	yes	yes	100	101	yes	yes
services/clamav/icap	✅	no	no	yes	yes	100	101	yes	yes
services/clamav/milter	✅	no	no	yes	yes	100	101	yes	yes
services/mariadb	✅	no	no	yes	yes	1001	1001	yes	yes
services/memcached	✅	no	no	yes	yes	1001	1001	yes	yes
services/minio	❌	no	no	no	yes	1000	0	yes	yes
services/postfix	❌	yes	yes	no	no	0	0	yes	no
services/postgresql	✅	no	no	yes	yes	1001	1001	yes	yes
services/redis/master	✅	no	no	yes	yes	1001	1001	yes	yes
univention-management-stack/intercom-service	✅	no	no	yes	yes	1000	1000	yes	yes
univention-management-stack/opendesk-keycloak-bootstrap	✅	no	no	yes	yes	1000	1000	yes	yes
univention-management-stack/ums/keycloak	❌	no	no	no	yes	1000	1000	yes	yes
univention-management-stack/ums/keycloak-bootstrap	❌	no	no	no	yes	1000	1000	yes	yes
univention-management-stack/ums/keycloak-extensions/handler	✅	no	no	yes	yes	1000	1000	yes	yes
univention-management-stack/ums/keycloak-extensions/proxy	✅	no	no	yes	yes	1000	1000	yes	yes
univention-management-stack/ums/ldap-notifier	❌	n/a	n/a	n/a	n/a	n/a	n/a	yes	no
univention-management-stack/ums/portal-listener	❌	no	no	no	no	0	0	yes	no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"]
univention-management-stack/ums/selfservice-listener	❌	no	no	no	no	0	0	yes	no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"]
univention-management-stack/ums/stack-data-swp	❌	no	no	no	no	0	0	yes	yes
univention-management-stack/ums/stack-gateway	❌	no	no	no	yes	1001	0	yes	yes
univention-management-stack/ums/umc-gateway	❌	no	no	no	no	0	0	yes	no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"]
univention-management-stack/ums/umc-server	❌	no	no	no	no	0	0	yes	no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"]
xwiki/xwiki	❌	no	no	no	yes	100	101	yes	yes

This file is auto-generated by openDesk CI CLI

11 KiB Raw Blame History