nextcloud/all-in-one
1
1
Fork 0
mirror of https://github.com/nextcloud/all-in-one.git synced 2025-09-14 10:36:35 +08:00
Code Issues Projects Releases Packages Wiki Activity

helm: refactor securityContext to support restricted pod security standard

Browse source 
Signed-off-by: Simon L. <szaimen@e.mail.de>
This commit is contained in:
Simon L. 2024-11-15 16:52:55 +01:00
parent f7de6f6704
commit cf6adc1075
16 changed files with 337 additions and 152 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
manual-install/latest.yml
View file

@ -202,7 +202,6 @@ services:
nextcloud-aio-collabora:
image: nextcloud/aio-collabora:latest
user: "100"
init: true
expose:
- "9980"

38
nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-deployment.yaml
View file

@ -23,19 +23,18 @@ spec:
labels:
io.kompose.service: nextcloud-aio-apache
spec:
initContainers:
- name: init-volumes
image: "alpine:3.20"
command:
- chmod
- "777"
- /nextcloud-aio-nextcloud
- /nextcloud-aio-apache
volumeMounts:
- name: nextcloud-aio-apache
mountPath: /nextcloud-aio-apache
- name: nextcloud-aio-nextcloud
mountPath: /nextcloud-aio-nextcloud
securityContext:
# The items below only work in pod context
fsGroup: 33
fsGroupChangePolicy: "OnRootMismatch"
# The items below work in both contexts
runAsUser: 33
runAsGroup: 33
runAsNonRoot: true
{{- if eq .Values.RPSS_ENABLED "yes" }}
seccompProfile:
type: RuntimeDefault
{{- end }}
containers:
- env:
- name: ADDITIONAL_TRUSTED_DOMAIN
@ -64,7 +63,7 @@ spec:
value: "{{ .Values.TIMEZONE }}"
- name: WHITEBOARD_HOST
value: nextcloud-aio-whiteboard
image: "nextcloud/aio-apache:20241106_101604"
image: nextcloud/aio-apache:20241106_101604
name: nextcloud-aio-apache
ports:
- containerPort: {{ .Values.APACHE_PORT }}
@ -72,12 +71,15 @@ spec:
- containerPort: {{ .Values.APACHE_PORT }}
protocol: UDP
securityContext:
# The items below only work in container context
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
drop:
- NET_RAW
runAsUser: 33
{{- if eq .Values.RPSS_ENABLED "yes" }}
drop: ["ALL"]
{{- else }}
drop: ["NET_RAW"]
{{- end }}
add: ["NET_BIND_SERVICE"]
volumeMounts:
- mountPath: /var/www/html
name: nextcloud-aio-nextcloud

46
nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-deployment.yaml
View file

@ -24,6 +24,18 @@ spec:
labels:
io.kompose.service: nextcloud-aio-clamav
spec:
securityContext:
# The items below only work in pod context
fsGroup: 100
fsGroupChangePolicy: "OnRootMismatch"
# The items below work in both contexts
runAsUser: 100
runAsGroup: 100
runAsNonRoot: true
{{- if eq .Values.RPSS_ENABLED "yes" }}
seccompProfile:
type: RuntimeDefault
{{- end }}
initContainers:
- name: init-subpath
image: "alpine:3.20"
@ -31,20 +43,19 @@ spec:
- mkdir
- "-p"
- /nextcloud-aio-clamav/data
- /nextcloud-aio-clamav
volumeMounts:
- name: nextcloud-aio-clamav
mountPath: /nextcloud-aio-clamav
- name: init-volumes
image: "alpine:3.20"
command:
- chown
- 100:100
- "-R"
- /nextcloud-aio-clamav
volumeMounts:
- name: nextcloud-aio-clamav
mountPath: /nextcloud-aio-clamav
securityContext:
# The items below only work in container context
allowPrivilegeEscalation: false
capabilities:
{{- if eq .Values.RPSS_ENABLED "yes" }}
drop: ["ALL"]
{{- else }}
drop: ["NET_RAW"]
{{- end }}
add: ["NET_BIND_SERVICE"]
containers:
- env:
- name: CLAMD_STARTUP_TIMEOUT
@ -53,18 +64,21 @@ spec:
value: "{{ .Values.NEXTCLOUD_UPLOAD_LIMIT }}"
- name: TZ
value: "{{ .Values.TIMEZONE }}"
image: "nextcloud/aio-clamav:20241106_101604"
image: nextcloud/aio-clamav:20241106_101604
name: nextcloud-aio-clamav
ports:
- containerPort: 3310
protocol: TCP
securityContext:
# The items below only work in container context
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
drop:
- NET_RAW
runAsUser: 100
{{- if eq .Values.RPSS_ENABLED "yes" }}
drop: ["ALL"]
{{- else }}
drop: ["NET_RAW"]
{{- end }}
add: ["NET_BIND_SERVICE"]
volumeMounts:
- mountPath: /var/lib/clamav
subPath: data

7
nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-deployment.yaml
View file

@ -36,19 +36,14 @@ spec:
value: --o:ssl.enable=false --o:ssl.termination=true --o:mount_jail_tree=false --o:logging.level=warning --o:home_mode.enable=true {{ .Values.COLLABORA_SECCOMP_POLICY }} --o:remote_font_config.url=https://{{ .Values.NC_DOMAIN }}/apps/richdocuments/settings/fonts.json
- name: server_name
value: "{{ .Values.NC_DOMAIN }}"
image: "nextcloud/aio-collabora:20241106_101604"
image: nextcloud/aio-collabora:20241106_101604
name: nextcloud-aio-collabora
ports:
- containerPort: 9980
protocol: TCP
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
add:
- MKNOD
- SYS_ADMIN
drop:
- NET_RAW
runAsUser: 100
{{- end }}

52
nextcloud-aio-helm-chart/templates/nextcloud-aio-database-deployment.yaml
View file

@ -23,6 +23,18 @@ spec:
labels:
io.kompose.service: nextcloud-aio-database
spec:
securityContext:
# The items below only work in pod context
fsGroup: 999
fsGroupChangePolicy: "OnRootMismatch"
# The items below work in both contexts
runAsUser: 999
runAsGroup: 999
runAsNonRoot: true
{{- if eq .Values.RPSS_ENABLED "yes" }}
seccompProfile:
type: RuntimeDefault
{{- end }}
initContainers:
- name: init-subpath
image: "alpine:3.20"
@ -30,26 +42,19 @@ spec:
- mkdir
- "-p"
- /nextcloud-aio-database/data
- /nextcloud-aio-database
- /nextcloud-aio-database-dump
volumeMounts:
- name: nextcloud-aio-database-dump
mountPath: /nextcloud-aio-database-dump
- name: nextcloud-aio-database
mountPath: /nextcloud-aio-database
- name: init-volumes
image: "alpine:3.20"
command:
- chown
- 999:999
- "-R"
- /nextcloud-aio-database
- /nextcloud-aio-database-dump
volumeMounts:
- name: nextcloud-aio-database-dump
mountPath: /nextcloud-aio-database-dump
- name: nextcloud-aio-database
mountPath: /nextcloud-aio-database
securityContext:
# The items below only work in container context
allowPrivilegeEscalation: false
capabilities:
{{- if eq .Values.RPSS_ENABLED "yes" }}
drop: ["ALL"]
{{- else }}
drop: ["NET_RAW"]
{{- end }}
add: ["NET_BIND_SERVICE"]
containers:
- env:
- name: PGTZ
@ -62,18 +67,21 @@ spec:
value: nextcloud
- name: TZ
value: "{{ .Values.TIMEZONE }}"
image: "nextcloud/aio-postgresql:20241106_101604"
image: nextcloud/aio-postgresql:20241106_101604
name: nextcloud-aio-database
ports:
- containerPort: 5432
protocol: TCP
securityContext:
# The items below only work in container context
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
drop:
- NET_RAW
runAsUser: 999
{{- if eq .Values.RPSS_ENABLED "yes" }}
drop: ["ALL"]
{{- else }}
drop: ["NET_RAW"]
{{- end }}
add: ["NET_BIND_SERVICE"]
volumeMounts:
- mountPath: /var/lib/postgresql/data
subPath: data

8
nextcloud-aio-helm-chart/templates/nextcloud-aio-fulltextsearch-deployment.yaml
View file

@ -56,17 +56,11 @@ spec:
value: basic
- name: xpack.security.enabled
value: "false"
image: "nextcloud/aio-fulltextsearch:20241106_101604"
image: nextcloud/aio-fulltextsearch:20241106_101604
name: nextcloud-aio-fulltextsearch
ports:
- containerPort: 9200
protocol: TCP
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
drop:
- NET_RAW
volumeMounts:
- mountPath: /usr/share/elasticsearch/data
name: nextcloud-aio-elasticsearch

26
nextcloud-aio-helm-chart/templates/nextcloud-aio-imaginary-deployment.yaml
View file

@ -22,24 +22,38 @@ spec:
labels:
io.kompose.service: nextcloud-aio-imaginary
spec:
securityContext:
# The items below only work in pod context
fsGroup: 65534
fsGroupChangePolicy: "OnRootMismatch"
# The items below work in both contexts
runAsUser: 65534
runAsGroup: 65534
runAsNonRoot: true
{{- if eq .Values.RPSS_ENABLED "yes" }}
seccompProfile:
type: RuntimeDefault
{{- end }}
containers:
- env:
- name: IMAGINARY_SECRET
value: "{{ .Values.IMAGINARY_SECRET }}"
- name: TZ
value: "{{ .Values.TIMEZONE }}"
image: "nextcloud/aio-imaginary:20241106_101604"
image: nextcloud/aio-imaginary:20241106_101604
name: nextcloud-aio-imaginary
ports:
- containerPort: 9000
protocol: TCP
securityContext:
# The items below only work in container context
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
{{- if eq .Values.RPSS_ENABLED "yes" }}
drop: ["ALL"]
{{- else }}
drop: ["NET_RAW"]
{{- end }}
add:
- SYS_NICE
drop:
- NET_RAW
runAsUser: 65534
- NET_BIND_SERVICE
{{- end }}

46
nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-deployment.yaml
View file

@ -23,6 +23,20 @@ spec:
labels:
io.kompose.service: nextcloud-aio-nextcloud
spec:
{{- if eq .Values.RPSS_ENABLED "yes" }} # AIO-config - do not change this comment!
securityContext:
# The items below only work in pod context
fsGroup: 33
fsGroupChangePolicy: "OnRootMismatch"
# The items below work in both contexts
runAsUser: 33
runAsGroup: 33
runAsNonRoot: true
{{- if eq .Values.RPSS_ENABLED "yes" }}
seccompProfile:
type: RuntimeDefault
{{- end }}
{{- end }} # AIO-config - do not change this comment!
initContainers:
- name: "delete-lost-found"
image: "alpine:3.20"
@ -35,6 +49,19 @@ spec:
mountPath: /nextcloud-aio-nextcloud-trusted-cacerts
- name: nextcloud-aio-nextcloud
mountPath: /nextcloud-aio-nextcloud
{{- if eq .Values.RPSS_ENABLED "yes" }} # AIO-config - do not change this comment!
securityContext:
# The items below only work in container context
allowPrivilegeEscalation: false
capabilities:
{{- if eq .Values.RPSS_ENABLED "yes" }}
drop: ["ALL"]
{{- else }}
drop: ["NET_RAW"]
{{- end }}
add: ["NET_BIND_SERVICE"]
{{- end }} # AIO-config - do not change this comment!
# AIO settings start # Do not remove or change this line!
- name: init-volumes
image: "alpine:3.20"
command:
@ -47,6 +74,7 @@ spec:
mountPath: /nextcloud-aio-nextcloud-trusted-cacerts
- name: nextcloud-aio-nextcloud
mountPath: /nextcloud-aio-nextcloud
# AIO settings end # Do not remove or change this line!
containers:
- env:
- name: SMTP_HOST
@ -173,17 +201,25 @@ spec:
value: "{{ .Values.WHITEBOARD_ENABLED }}"
- name: WHITEBOARD_SECRET
value: "{{ .Values.WHITEBOARD_SECRET }}"
image: "nextcloud/aio-nextcloud:20241106_101604"
image: nextcloud/aio-nextcloud:20241106_101604
{{- if eq .Values.RPSS_ENABLED "yes" }} # AIO-config - do not change this comment!
securityContext:
# The items below only work in container context
allowPrivilegeEscalation: false
capabilities:
{{- if eq .Values.RPSS_ENABLED "yes" }}
drop: ["ALL"]
{{- else }}
drop: ["NET_RAW"]
{{- end }}
add: ["NET_BIND_SERVICE"]
{{- end }} # AIO-config - do not change this comment!
name: nextcloud-aio-nextcloud
ports:
- containerPort: 9000
protocol: TCP
- containerPort: 9001
protocol: TCP
securityContext:
capabilities:
drop:
- NET_RAW
volumeMounts:
- mountPath: /var/www/html
name: nextcloud-aio-nextcloud

35
nextcloud-aio-helm-chart/templates/nextcloud-aio-notify-push-deployment.yaml
View file

@ -23,16 +23,18 @@ spec:
labels:
io.kompose.service: nextcloud-aio-notify-push
spec:
initContainers:
- name: init-volumes
image: "alpine:3.20"
command:
- chmod
- "777"
- /nextcloud-aio-nextcloud
volumeMounts:
- name: nextcloud-aio-nextcloud
mountPath: /nextcloud-aio-nextcloud
securityContext:
# The items below only work in pod context
fsGroup: 33
fsGroupChangePolicy: "OnRootMismatch"
# The items below work in both contexts
runAsUser: 33
runAsGroup: 33
runAsNonRoot: true
{{- if eq .Values.RPSS_ENABLED "yes" }}
seccompProfile:
type: RuntimeDefault
{{- end }}
containers:
- env:
- name: NC_DOMAIN
@ -53,18 +55,21 @@ spec:
value: nextcloud-aio-redis
- name: REDIS_HOST_PASSWORD
value: "{{ .Values.REDIS_PASSWORD }}"
image: "nextcloud/aio-notify-push:20241106_101604"
image: nextcloud/aio-notify-push:20241106_101604
name: nextcloud-aio-notify-push
ports:
- containerPort: 7867
protocol: TCP
securityContext:
# The items below only work in container context
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
drop:
- NET_RAW
runAsUser: 33
{{- if eq .Values.RPSS_ENABLED "yes" }}
drop: ["ALL"]
{{- else }}
drop: ["NET_RAW"]
{{- end }}
add: ["NET_BIND_SERVICE"]
volumeMounts:
- mountPath: /nextcloud
name: nextcloud-aio-nextcloud

6
nextcloud-aio-helm-chart/templates/nextcloud-aio-onlyoffice-deployment.yaml
View file

@ -44,15 +44,11 @@ spec:
value: "{{ .Values.ONLYOFFICE_SECRET }}"
- name: TZ
value: "{{ .Values.TIMEZONE }}"
image: "nextcloud/aio-onlyoffice:20241106_101604"
image: nextcloud/aio-onlyoffice:20241106_101604
name: nextcloud-aio-onlyoffice
ports:
- containerPort: 80
protocol: TCP
securityContext:
capabilities:
drop:
- NET_RAW
volumeMounts:
- mountPath: /var/lib/onlyoffice
name: nextcloud-aio-onlyoffice

35
nextcloud-aio-helm-chart/templates/nextcloud-aio-redis-deployment.yaml
View file

@ -23,34 +23,39 @@ spec:
labels:
io.kompose.service: nextcloud-aio-redis
spec:
initContainers:
- name: init-volumes
image: "alpine:3.20"
command:
- chmod
- "777"
- /nextcloud-aio-redis
volumeMounts:
- name: nextcloud-aio-redis
mountPath: /nextcloud-aio-redis
securityContext:
# The items below only work in pod context
fsGroup: 999
fsGroupChangePolicy: "OnRootMismatch"
# The items below work in both contexts
runAsUser: 999
runAsGroup: 999
runAsNonRoot: true
{{- if eq .Values.RPSS_ENABLED "yes" }}
seccompProfile:
type: RuntimeDefault
{{- end }}
containers:
- env:
- name: REDIS_HOST_PASSWORD
value: "{{ .Values.REDIS_PASSWORD }}"
- name: TZ
value: "{{ .Values.TIMEZONE }}"
image: "nextcloud/aio-redis:20241106_101604"
image: nextcloud/aio-redis:20241106_101604
name: nextcloud-aio-redis
ports:
- containerPort: 6379
protocol: TCP
securityContext:
# The items below only work in container context
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
drop:
- NET_RAW
runAsUser: 999
{{- if eq .Values.RPSS_ENABLED "yes" }}
drop: ["ALL"]
{{- else }}
drop: ["NET_RAW"]
{{- end }}
add: ["NET_BIND_SERVICE"]
volumeMounts:
- mountPath: /data
name: nextcloud-aio-redis

25
nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-deployment.yaml
View file

@ -22,6 +22,18 @@ spec:
labels:
io.kompose.service: nextcloud-aio-talk
spec:
securityContext:
# The items below only work in pod context
fsGroup: 1000
fsGroupChangePolicy: "OnRootMismatch"
# The items below work in both contexts
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
{{- if eq .Values.RPSS_ENABLED "yes" }}
seccompProfile:
type: RuntimeDefault
{{- end }}
containers:
- env:
- name: TALK_MAX_STREAM_BITRATE
@ -42,7 +54,7 @@ spec:
value: "{{ .Values.TURN_SECRET }}"
- name: TZ
value: "{{ .Values.TIMEZONE }}"
image: "nextcloud/aio-talk:20241106_101604"
image: nextcloud/aio-talk:20241106_101604
name: nextcloud-aio-talk
ports:
- containerPort: {{ .Values.TALK_PORT }}
@ -52,10 +64,13 @@ spec:
- containerPort: 8081
protocol: TCP
securityContext:
# The items below only work in container context
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
drop:
- NET_RAW
runAsUser: 1000
{{- if eq .Values.RPSS_ENABLED "yes" }}
drop: ["ALL"]
{{- else }}
drop: ["NET_RAW"]
{{- end }}
add: ["NET_BIND_SERVICE"]
{{- end }}

25
nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-recording-deployment.yaml
View file

@ -22,6 +22,18 @@ spec:
labels:
io.kompose.service: nextcloud-aio-talk-recording
spec:
securityContext:
# The items below only work in pod context
fsGroup: 122
fsGroupChangePolicy: "OnRootMismatch"
# The items below work in both contexts
runAsUser: 122
runAsGroup: 122
runAsNonRoot: true
{{- if eq .Values.RPSS_ENABLED "yes" }}
seccompProfile:
type: RuntimeDefault
{{- end }}
containers:
- env:
- name: INTERNAL_SECRET
@ -32,16 +44,19 @@ spec:
value: "{{ .Values.RECORDING_SECRET }}"
- name: TZ
value: "{{ .Values.TIMEZONE }}"
image: "nextcloud/aio-talk-recording:20241106_101604"
image: nextcloud/aio-talk-recording:20241106_101604
name: nextcloud-aio-talk-recording
ports:
- containerPort: 1234
protocol: TCP
securityContext:
# The items below only work in container context
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
drop:
- NET_RAW
runAsUser: 122
{{- if eq .Values.RPSS_ENABLED "yes" }}
drop: ["ALL"]
{{- else }}
drop: ["NET_RAW"]
{{- end }}
add: ["NET_BIND_SERVICE"]
{{- end }}

25
nextcloud-aio-helm-chart/templates/nextcloud-aio-whiteboard-deployment.yaml
View file

@ -22,6 +22,18 @@ spec:
labels:
io.kompose.service: nextcloud-aio-whiteboard
spec:
securityContext:
# The items below only work in pod context
fsGroup: 65534
fsGroupChangePolicy: "OnRootMismatch"
# The items below work in both contexts
runAsUser: 65534
runAsGroup: 65534
runAsNonRoot: true
{{- if eq .Values.RPSS_ENABLED "yes" }}
seccompProfile:
type: RuntimeDefault
{{- end }}
containers:
- env:
- name: JWT_SECRET_KEY
@ -36,16 +48,19 @@ spec:
value: redis
- name: TZ
value: "{{ .Values.TIMEZONE }}"
image: "nextcloud/aio-whiteboard:20241106_101604"
image: nextcloud/aio-whiteboard:20241106_101604
name: nextcloud-aio-whiteboard
ports:
- containerPort: 3002
protocol: TCP
securityContext:
# The items below only work in container context
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
drop:
- NET_RAW
runAsUser: 65534
{{- if eq .Values.RPSS_ENABLED "yes" }}
drop: ["ALL"]
{{- else }}
drop: ["NET_RAW"]
{{- end }}
add: ["NET_BIND_SERVICE"]
{{- end }}

113
nextcloud-aio-helm-chart/update-helm.sh
View file

@ -50,6 +50,11 @@ yq -i 'del(.services.[].profiles)' latest.yml
# Delete read_only and tmpfs setting while https://github.com/kubernetes/kubernetes/issues/48912 is not fixed
yq -i 'del(.services.[].read_only)' latest.yml
yq -i 'del(.services.[].tmpfs)' latest.yml
# Remove cap_drop in order to add it later again easier
yq -i 'del(.services.[].cap_drop)' latest.yml
# Remove SYS_NICE for imaginary as it is not supported with RPSS
sed -i "s|- SYS_NICE$|- NET_BIND_SERVICE|" latest.yml
cat latest.yml
kompose convert -c -f latest.yml --namespace nextcloud-aio-namespace
cd latest
@ -76,14 +81,10 @@ cat << EOL > /tmp/initcontainers.database
- mkdir
- "-p"
- /nextcloud-aio-database/data
volumeMountsInitContainer:
- name: init-volumes
image: "alpine:3.20"
command:
- chown
- 999:999
- "-R"
volumeMountsInitContainer:
volumeMounts:
- name: nextcloud-aio-database
mountPath: /nextcloud-aio-database
securityContext:
EOL
cat << EOL > /tmp/initcontainers.clamav
initContainers:
@ -93,14 +94,10 @@ cat << EOL > /tmp/initcontainers.clamav
- mkdir
- "-p"
- /nextcloud-aio-clamav/data
volumeMountsInitContainer:
- name: init-volumes
image: "alpine:3.20"
command:
- chown
- 100:100
- "-R"
volumeMountsInitContainer:
volumeMounts:
- name: nextcloud-aio-clamav
mountPath: /nextcloud-aio-clamav
securityContext:
EOL
cat << EOL > /tmp/initcontainers.nextcloud
initContainers:
@ -111,13 +108,19 @@ cat << EOL > /tmp/initcontainers.nextcloud
- "-rf"
- "/nextcloud-aio-nextcloud/lost+found"
volumeMountsInitRmLostFound:
{{- if eq .Values.RPSS_ENABLED "yes" }} # AIO-config - do not change this comment!
securityContext:
{{- end }} # AIO-config - do not change this comment!
# AIO settings start # Do not remove or change this line!
- name: init-volumes
image: "alpine:3.20"
command:
- chmod
- "777"
volumeMountsInitContainer:
# AIO settings end # Do not remove or change this line!
EOL
# shellcheck disable=SC1083
DEPLOYMENTS="$(find ./ -name '*deployment.yaml')"
mapfile -t DEPLOYMENTS <<< "$DEPLOYMENTS"
@ -129,7 +132,7 @@ for variable in "${DEPLOYMENTS[@]}"; do
sed -i "/^ spec:/r /tmp/initcontainers.clamav" "$variable"
elif echo "$variable" | grep -q "nextcloud-deployment.yaml"; then
sed -i "/^ spec:/r /tmp/initcontainers.nextcloud" "$variable"
else
elif echo "$variable" | grep -q "fulltextsearch" || echo "$variable" | grep -q "onlyoffice" || echo "$variable" | grep -q "collabora"; then
sed -i "/^ spec:/r /tmp/initcontainers" "$variable"
fi
volumeNames="$(grep -A1 mountPath "$variable" | grep -v mountPath | sed 's|.*name: ||' | sed '/^--$/d')"
@ -161,6 +164,39 @@ for variable in "${DEPLOYMENTS[@]}"; do
done
fi
fi
if grep -q runAsUser "$variable" || echo "$variable" | grep -q "nextcloud-deployment.yaml"; then
if echo "$variable" | grep -q "nextcloud-deployment.yaml"; then
USER=33
GROUP=33
echo ' {{- if eq .Values.RPSS_ENABLED "yes" }} # AIO-config - do not change this comment!' > /tmp/pod.securityContext
else
USER="$(grep runAsUser "$variable" | grep -oP '[0-9]+')"
GROUP="$USER"
rm -f /tmp/pod.securityContext
fi
sed -i "/runAsUser:/d" "$variable"
sed -i "/capabilities:/d" "$variable"
if [ -n "$USER" ]; then
cat << EOL >> /tmp/pod.securityContext
securityContext:
# The items below only work in pod context
fsGroup: $USER
fsGroupChangePolicy: "OnRootMismatch"
# The items below work in both contexts
runAsUser: $USER
runAsGroup: $GROUP
runAsNonRoot: true
{{- if eq .Values.RPSS_ENABLED "yes" }}
seccompProfile:
type: RuntimeDefault
{{- end }}
EOL
if echo "$variable" | grep -q "nextcloud-deployment.yaml"; then
echo " {{- end }} # AIO-config - do not change this comment!" >> /tmp/pod.securityContext
fi
sed -i "/^ spec:$/r /tmp/pod.securityContext" "$variable"
fi
fi
done
# shellcheck disable=SC1083
find ./ -name '*.yaml' -exec sed -i 's|nextcloud-aio-namespace|"\{\{ .Values.NAMESPACE \}\}"|' \{} \;
@ -416,12 +452,49 @@ find ./ -name "*nextcloud-aio-elasticsearch-persistentvolumeclaim.yaml" -exec se
# shellcheck disable=SC1083
find ./ -name "*nextcloud-aio-elasticsearch-persistentvolumeclaim.yaml" -exec sed -i "$ a {{- end }}" \{} \;
cat << EOL >> /tmp/security.conf
cat << EOL > /tmp/security.conf
# The items below only work in container context
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
{{- if eq .Values.RPSS_ENABLED "yes" }}
drop: ["ALL"]
{{- else }}
drop: ["NET_RAW"]
{{- end }}
add: ["NET_BIND_SERVICE"]
EOL
# shellcheck disable=SC1083
find ./ \( -not -name '*nextcloud-deployment.yaml*' -not -name '*onlyoffice-deployment.yaml*' -name "*deployment.yaml" \) -exec sed -i "/^.*securityContext:$/r /tmp/security.conf" \{} \;
find ./ \( -not -name '*collabora-deployment.yaml*' -not -name '*imaginary-deployment.yaml*' -not -name '*onlyoffice-deployment.yaml*' -name "*deployment.yaml" \) -exec sed -i "/^ securityContext:$/r /tmp/security.conf" \{} \;
cat << EOL > /tmp/security.conf
# The items below only work in container context
allowPrivilegeEscalation: false
capabilities:
{{- if eq .Values.RPSS_ENABLED "yes" }}
drop: ["ALL"]
{{- else }}
drop: ["NET_RAW"]
{{- end }}
EOL
# shellcheck disable=SC1083
find ./ -name '*imaginary-deployment.yaml*' -exec sed -i "/^ securityContext:$/r /tmp/security.conf" \{} \;
cat << EOL > /tmp/security.conf
{{- if eq .Values.RPSS_ENABLED "yes" }} # AIO-config - do not change this comment!
securityContext:
# The items below only work in container context
allowPrivilegeEscalation: false
capabilities:
{{- if eq .Values.RPSS_ENABLED "yes" }}
drop: ["ALL"]
{{- else }}
drop: ["NET_RAW"]
{{- end }}
add: ["NET_BIND_SERVICE"]
{{- end }} # AIO-config - do not change this comment!
EOL
# shellcheck disable=SC1083
find ./ -name '*nextcloud-deployment.yaml*' -exec sed -i "/nextcloud\/aio-nextcloud:.*/r /tmp/security.conf" \{} \;
chmod 777 -R ./

1
php/containers.json
View file

@ -332,7 +332,6 @@
"documentation": "https://github.com/nextcloud/all-in-one/discussions/1358",
"display_name": "Collabora",
"image": "nextcloud/aio-collabora",
"user": "100",
"init": true,
"expose": [
"9980"