Skip to content

Commit

Permalink
Merge pull request #5601 from nextcloud/enh/noid/refactor-helm-security
Browse files Browse the repository at this point in the history 
helm: refactor securityContext
  • Loading branch information
@szaimen
szaimen authored Nov 26, 2024
2 parents dfdc729 + e800ed4 commit 39cf8f7
Show file tree
Hide file tree
Showing 16 changed files with 325 additions and 173 deletions.
1 change: 0 additions & 1 deletion manual-install/latest.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -202,7 +202,6 @@ services:

nextcloud-aio-collabora:
image: nextcloud/aio-collabora:latest
user: "100"
init: true
expose:
- "9980"
Expand Down
38 changes: 20 additions & 18 deletions nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,19 +23,18 @@ spec:
labels:
io.kompose.service: nextcloud-aio-apache
spec:
initContainers:
- name: init-volumes
image: "alpine:3.20"
command:
- chmod
- "777"
- /nextcloud-aio-nextcloud
- /nextcloud-aio-apache
volumeMounts:
- name: nextcloud-aio-apache
mountPath: /nextcloud-aio-apache
- name: nextcloud-aio-nextcloud
mountPath: /nextcloud-aio-nextcloud
securityContext:
# The items below only work in pod context
fsGroup: 33
fsGroupChangePolicy: "OnRootMismatch"
# The items below work in both contexts
runAsUser: 33
runAsGroup: 33
runAsNonRoot: true
{{- if eq .Values.RPSS_ENABLED "yes" }}
seccompProfile:
type: RuntimeDefault
{{- end }}
containers:
- env:
- name: ADDITIONAL_TRUSTED_DOMAIN
Expand Down Expand Up @@ -64,20 +63,23 @@ spec:
value: "{{ .Values.TIMEZONE }}"
- name: WHITEBOARD_HOST
value: nextcloud-aio-whiteboard
image: "nextcloud/aio-apache:20241106_101604"
image: nextcloud/aio-apache:20241106_101604
name: nextcloud-aio-apache
ports:
- containerPort: {{ .Values.APACHE_PORT }}
protocol: TCP
- containerPort: {{ .Values.APACHE_PORT }}
protocol: UDP
securityContext:
# The items below only work in container context
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
drop:
- NET_RAW
runAsUser: 33
{{- if eq .Values.RPSS_ENABLED "yes" }}
drop: ["ALL"]
{{- else }}
drop: ["NET_RAW"]
{{- end }}
add: ["NET_BIND_SERVICE"]
volumeMounts:
- mountPath: /var/www/html
name: nextcloud-aio-nextcloud
Expand Down
46 changes: 30 additions & 16 deletions nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,27 +24,38 @@ spec:
labels:
io.kompose.service: nextcloud-aio-clamav
spec:
securityContext:
# The items below only work in pod context
fsGroup: 100
fsGroupChangePolicy: "OnRootMismatch"
# The items below work in both contexts
runAsUser: 100
runAsGroup: 100
runAsNonRoot: true
{{- if eq .Values.RPSS_ENABLED "yes" }}
seccompProfile:
type: RuntimeDefault
{{- end }}
initContainers:
- name: init-subpath
image: "alpine:3.20"
command:
- mkdir
- "-p"
- /nextcloud-aio-clamav/data
- /nextcloud-aio-clamav
volumeMounts:
- name: nextcloud-aio-clamav
mountPath: /nextcloud-aio-clamav
- name: init-volumes
image: "alpine:3.20"
command:
- chown
- 100:100
- "-R"
- /nextcloud-aio-clamav
volumeMounts:
- name: nextcloud-aio-clamav
mountPath: /nextcloud-aio-clamav
securityContext:
# The items below only work in container context
allowPrivilegeEscalation: false
capabilities:
{{- if eq .Values.RPSS_ENABLED "yes" }}
drop: ["ALL"]
{{- else }}
drop: ["NET_RAW"]
{{- end }}
add: ["NET_BIND_SERVICE"]
containers:
- env:
- name: CLAMD_STARTUP_TIMEOUT
Expand All @@ -53,18 +64,21 @@ spec:
value: "{{ .Values.NEXTCLOUD_UPLOAD_LIMIT }}"
- name: TZ
value: "{{ .Values.TIMEZONE }}"
image: "nextcloud/aio-clamav:20241106_101604"
image: nextcloud/aio-clamav:20241106_101604
name: nextcloud-aio-clamav
ports:
- containerPort: 3310
protocol: TCP
securityContext:
# The items below only work in container context
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
drop:
- NET_RAW
runAsUser: 100
{{- if eq .Values.RPSS_ENABLED "yes" }}
drop: ["ALL"]
{{- else }}
drop: ["NET_RAW"]
{{- end }}
add: ["NET_BIND_SERVICE"]
volumeMounts:
- mountPath: /var/lib/clamav
subPath: data
Expand Down
9 changes: 2 additions & 7 deletions nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,19 +36,14 @@ spec:
value: --o:ssl.enable=false --o:ssl.termination=true --o:mount_jail_tree=false --o:logging.level=warning --o:home_mode.enable=true {{ .Values.COLLABORA_SECCOMP_POLICY }} --o:remote_font_config.url=https://{{ .Values.NC_DOMAIN }}/apps/richdocuments/settings/fonts.json
- name: server_name
value: "{{ .Values.NC_DOMAIN }}"
image: "nextcloud/aio-collabora:20241106_101604"
image: nextcloud/aio-collabora:20241106_101604
name: nextcloud-aio-collabora
ports:
- containerPort: 9980
protocol: TCP
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
add:
- MKNOD
- SYS_ADMIN
drop:
- NET_RAW
runAsUser: 100
- CAP_SYS_ADMIN
{{- end }}
52 changes: 30 additions & 22 deletions nextcloud-aio-helm-chart/templates/nextcloud-aio-database-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,33 +23,38 @@ spec:
labels:
io.kompose.service: nextcloud-aio-database
spec:
securityContext:
# The items below only work in pod context
fsGroup: 999
fsGroupChangePolicy: "OnRootMismatch"
# The items below work in both contexts
runAsUser: 999
runAsGroup: 999
runAsNonRoot: true
{{- if eq .Values.RPSS_ENABLED "yes" }}
seccompProfile:
type: RuntimeDefault
{{- end }}
initContainers:
- name: init-subpath
image: "alpine:3.20"
command:
- mkdir
- "-p"
- /nextcloud-aio-database/data
- /nextcloud-aio-database
- /nextcloud-aio-database-dump
volumeMounts:
- name: nextcloud-aio-database-dump
mountPath: /nextcloud-aio-database-dump
- name: nextcloud-aio-database
mountPath: /nextcloud-aio-database
- name: init-volumes
image: "alpine:3.20"
command:
- chown
- 999:999
- "-R"
- /nextcloud-aio-database
- /nextcloud-aio-database-dump
volumeMounts:
- name: nextcloud-aio-database-dump
mountPath: /nextcloud-aio-database-dump
- name: nextcloud-aio-database
mountPath: /nextcloud-aio-database
securityContext:
# The items below only work in container context
allowPrivilegeEscalation: false
capabilities:
{{- if eq .Values.RPSS_ENABLED "yes" }}
drop: ["ALL"]
{{- else }}
drop: ["NET_RAW"]
{{- end }}
add: ["NET_BIND_SERVICE"]
containers:
- env:
- name: PGTZ
Expand All @@ -62,18 +67,21 @@ spec:
value: nextcloud
- name: TZ
value: "{{ .Values.TIMEZONE }}"
image: "nextcloud/aio-postgresql:20241106_101604"
image: nextcloud/aio-postgresql:20241106_101604
name: nextcloud-aio-database
ports:
- containerPort: 5432
protocol: TCP
securityContext:
# The items below only work in container context
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
drop:
- NET_RAW
runAsUser: 999
{{- if eq .Values.RPSS_ENABLED "yes" }}
drop: ["ALL"]
{{- else }}
drop: ["NET_RAW"]
{{- end }}
add: ["NET_BIND_SERVICE"]
volumeMounts:
- mountPath: /var/lib/postgresql/data
subPath: data
Expand Down
8 changes: 1 addition & 7 deletions nextcloud-aio-helm-chart/templates/nextcloud-aio-fulltextsearch-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,17 +56,11 @@ spec:
value: basic
- name: xpack.security.enabled
value: "false"
image: "nextcloud/aio-fulltextsearch:20241106_101604"
image: nextcloud/aio-fulltextsearch:20241106_101604
name: nextcloud-aio-fulltextsearch
ports:
- containerPort: 9200
protocol: TCP
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
drop:
- NET_RAW
volumeMounts:
- mountPath: /usr/share/elasticsearch/data
name: nextcloud-aio-elasticsearch
Expand Down
26 changes: 20 additions & 6 deletions nextcloud-aio-helm-chart/templates/nextcloud-aio-imaginary-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,24 +22,38 @@ spec:
labels:
io.kompose.service: nextcloud-aio-imaginary
spec:
securityContext:
# The items below only work in pod context
fsGroup: 65534
fsGroupChangePolicy: "OnRootMismatch"
# The items below work in both contexts
runAsUser: 65534
runAsGroup: 65534
runAsNonRoot: true
{{- if eq .Values.RPSS_ENABLED "yes" }}
seccompProfile:
type: RuntimeDefault
{{- end }}
containers:
- env:
- name: IMAGINARY_SECRET
value: "{{ .Values.IMAGINARY_SECRET }}"
- name: TZ
value: "{{ .Values.TIMEZONE }}"
image: "nextcloud/aio-imaginary:20241106_101604"
image: nextcloud/aio-imaginary:20241106_101604
name: nextcloud-aio-imaginary
ports:
- containerPort: 9000
protocol: TCP
securityContext:
# The items below only work in container context
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
{{- if eq .Values.RPSS_ENABLED "yes" }}
drop: ["ALL"]
{{- else }}
drop: ["NET_RAW"]
{{- end }}
add:
- SYS_NICE
drop:
- NET_RAW
runAsUser: 65534
- NET_BIND_SERVICE
{{- end }}
45 changes: 29 additions & 16 deletions nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,18 +23,22 @@ spec:
labels:
io.kompose.service: nextcloud-aio-nextcloud
spec:
{{- if eq .Values.RPSS_ENABLED "yes" }} # AIO-config - do not change this comment!
securityContext:
# The items below only work in pod context
fsGroup: 33
fsGroupChangePolicy: "OnRootMismatch"
# The items below work in both contexts
runAsUser: 33
runAsGroup: 33
runAsNonRoot: true
{{- if eq .Values.RPSS_ENABLED "yes" }}
seccompProfile:
type: RuntimeDefault
{{- end }}
{{- end }} # AIO-config - do not change this comment!
# AIO settings start # Do not remove or change this line!
initContainers:
- name: "delete-lost-found"
image: "alpine:3.20"
command:
- rm
- "-rf"
- "/nextcloud-aio-nextcloud/lost+found"
volumeMounts:
- name: nextcloud-aio-nextcloud-trusted-cacerts
mountPath: /nextcloud-aio-nextcloud-trusted-cacerts
- name: nextcloud-aio-nextcloud
mountPath: /nextcloud-aio-nextcloud
- name: init-volumes
image: "alpine:3.20"
command:
Expand All @@ -47,6 +51,7 @@ spec:
mountPath: /nextcloud-aio-nextcloud-trusted-cacerts
- name: nextcloud-aio-nextcloud
mountPath: /nextcloud-aio-nextcloud
# AIO settings end # Do not remove or change this line!
containers:
- env:
- name: SMTP_HOST
Expand Down Expand Up @@ -173,17 +178,25 @@ spec:
value: "{{ .Values.WHITEBOARD_ENABLED }}"
- name: WHITEBOARD_SECRET
value: "{{ .Values.WHITEBOARD_SECRET }}"
image: "nextcloud/aio-nextcloud:20241106_101604"
image: nextcloud/aio-nextcloud:20241106_101604
{{- if eq .Values.RPSS_ENABLED "yes" }} # AIO-config - do not change this comment!
securityContext:
# The items below only work in container context
allowPrivilegeEscalation: false
capabilities:
{{- if eq .Values.RPSS_ENABLED "yes" }}
drop: ["ALL"]
{{- else }}
drop: ["NET_RAW"]
{{- end }}
add: ["NET_BIND_SERVICE"]
{{- end }} # AIO-config - do not change this comment!
name: nextcloud-aio-nextcloud
ports:
- containerPort: 9000
protocol: TCP
- containerPort: 9001
protocol: TCP
securityContext:
capabilities:
drop:
- NET_RAW
volumeMounts:
- mountPath: /var/www/html
name: nextcloud-aio-nextcloud
Expand Down
Loading

0 comments on commit 39cf8f7

Please sign in to comment.