nextcloud/all-in-one
1
1
Fork 0
mirror of https://github.com/nextcloud/all-in-one.git synced 2025-09-20 13:36:27 +08:00
Code Issues Projects Releases Packages Wiki Activity

helm: refactor securityContext to support restricted pod security standard

Browse source 
Signed-off-by: Simon L. <szaimen@e.mail.de>
This commit is contained in:
Simon L. 2024-11-15 16:52:55 +01:00
parent f7de6f6704
commit cf6adc1075
16 changed files with 337 additions and 152 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
manual-install/latest.yml
View file

@ -202,7 +202,6 @@ services:
nextcloud-aio-collabora: nextcloud-aio-collabora:
image: nextcloud/aio-collabora:latest image: nextcloud/aio-collabora:latest
user: "100"
init: true init: true
expose: expose:
- "9980" - "9980"

38
nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-deployment.yaml
View file

@ -23,19 +23,18 @@ spec:
labels: labels:
io.kompose.service: nextcloud-aio-apache io.kompose.service: nextcloud-aio-apache
spec: spec:
initContainers: securityContext:
- name: init-volumes # The items below only work in pod context
image: "alpine:3.20" fsGroup: 33
command: fsGroupChangePolicy: "OnRootMismatch"
- chmod # The items below work in both contexts
- "777" runAsUser: 33
- /nextcloud-aio-nextcloud runAsGroup: 33
- /nextcloud-aio-apache runAsNonRoot: true
volumeMounts: {{- if eq .Values.RPSS_ENABLED "yes" }}
- name: nextcloud-aio-apache seccompProfile:
mountPath: /nextcloud-aio-apache type: RuntimeDefault
- name: nextcloud-aio-nextcloud {{- end }}
mountPath: /nextcloud-aio-nextcloud
containers: containers:
- env: - env:
- name: ADDITIONAL_TRUSTED_DOMAIN - name: ADDITIONAL_TRUSTED_DOMAIN
@ -64,7 +63,7 @@ spec:
value: "{{ .Values.TIMEZONE }}" value: "{{ .Values.TIMEZONE }}"
- name: WHITEBOARD_HOST - name: WHITEBOARD_HOST
value: nextcloud-aio-whiteboard value: nextcloud-aio-whiteboard
image: "nextcloud/aio-apache:20241106_101604" image: nextcloud/aio-apache:20241106_101604
name: nextcloud-aio-apache name: nextcloud-aio-apache
ports: ports:
- containerPort: {{ .Values.APACHE_PORT }} - containerPort: {{ .Values.APACHE_PORT }}
@ -72,12 +71,15 @@ spec:
- containerPort: {{ .Values.APACHE_PORT }} - containerPort: {{ .Values.APACHE_PORT }}
protocol: UDP protocol: UDP
securityContext: securityContext:
# The items below only work in container context
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities: capabilities:
drop: {{- if eq .Values.RPSS_ENABLED "yes" }}
- NET_RAW drop: ["ALL"]
runAsUser: 33 {{- else }}
drop: ["NET_RAW"]
{{- end }}
add: ["NET_BIND_SERVICE"]
volumeMounts: volumeMounts:
- mountPath: /var/www/html - mountPath: /var/www/html
name: nextcloud-aio-nextcloud name: nextcloud-aio-nextcloud

46
nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-deployment.yaml
View file

@ -24,6 +24,18 @@ spec:
labels: labels:
io.kompose.service: nextcloud-aio-clamav io.kompose.service: nextcloud-aio-clamav
spec: spec:
securityContext:
# The items below only work in pod context
fsGroup: 100
fsGroupChangePolicy: "OnRootMismatch"
# The items below work in both contexts
runAsUser: 100
runAsGroup: 100
runAsNonRoot: true
{{- if eq .Values.RPSS_ENABLED "yes" }}
seccompProfile:
type: RuntimeDefault
{{- end }}
initContainers: initContainers:
- name: init-subpath - name: init-subpath
image: "alpine:3.20" image: "alpine:3.20"
@ -31,20 +43,19 @@ spec:
- mkdir - mkdir
- "-p" - "-p"
- /nextcloud-aio-clamav/data - /nextcloud-aio-clamav/data
- /nextcloud-aio-clamav
volumeMounts:
- name: nextcloud-aio-clamav
mountPath: /nextcloud-aio-clamav
- name: init-volumes
image: "alpine:3.20"
command:
- chown
- 100:100
- "-R"
- /nextcloud-aio-clamav
volumeMounts: volumeMounts:
- name: nextcloud-aio-clamav - name: nextcloud-aio-clamav
mountPath: /nextcloud-aio-clamav mountPath: /nextcloud-aio-clamav
securityContext:
# The items below only work in container context
allowPrivilegeEscalation: false
capabilities:
{{- if eq .Values.RPSS_ENABLED "yes" }}
drop: ["ALL"]
{{- else }}
drop: ["NET_RAW"]
{{- end }}
add: ["NET_BIND_SERVICE"]
containers: containers:
- env: - env:
- name: CLAMD_STARTUP_TIMEOUT - name: CLAMD_STARTUP_TIMEOUT
@ -53,18 +64,21 @@ spec:
value: "{{ .Values.NEXTCLOUD_UPLOAD_LIMIT }}" value: "{{ .Values.NEXTCLOUD_UPLOAD_LIMIT }}"
- name: TZ - name: TZ
value: "{{ .Values.TIMEZONE }}" value: "{{ .Values.TIMEZONE }}"
image: "nextcloud/aio-clamav:20241106_101604" image: nextcloud/aio-clamav:20241106_101604
name: nextcloud-aio-clamav name: nextcloud-aio-clamav
ports: ports:
- containerPort: 3310 - containerPort: 3310
protocol: TCP protocol: TCP
securityContext: securityContext:
# The items below only work in container context
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities: capabilities:
drop: {{- if eq .Values.RPSS_ENABLED "yes" }}
- NET_RAW drop: ["ALL"]
runAsUser: 100 {{- else }}
drop: ["NET_RAW"]
{{- end }}
add: ["NET_BIND_SERVICE"]
volumeMounts: volumeMounts:
- mountPath: /var/lib/clamav - mountPath: /var/lib/clamav
subPath: data subPath: data

7
nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-deployment.yaml
View file

@ -36,19 +36,14 @@ spec:
value: --o:ssl.enable=false --o:ssl.termination=true --o:mount_jail_tree=false --o:logging.level=warning --o:home_mode.enable=true {{ .Values.COLLABORA_SECCOMP_POLICY }} --o:remote_font_config.url=https://{{ .Values.NC_DOMAIN }}/apps/richdocuments/settings/fonts.json value: --o:ssl.enable=false --o:ssl.termination=true --o:mount_jail_tree=false --o:logging.level=warning --o:home_mode.enable=true {{ .Values.COLLABORA_SECCOMP_POLICY }} --o:remote_font_config.url=https://{{ .Values.NC_DOMAIN }}/apps/richdocuments/settings/fonts.json
- name: server_name - name: server_name
value: "{{ .Values.NC_DOMAIN }}" value: "{{ .Values.NC_DOMAIN }}"
image: "nextcloud/aio-collabora:20241106_101604" image: nextcloud/aio-collabora:20241106_101604
name: nextcloud-aio-collabora name: nextcloud-aio-collabora
ports: ports:
- containerPort: 9980 - containerPort: 9980
protocol: TCP protocol: TCP
securityContext: securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities: capabilities:
add: add:
- MKNOD - MKNOD
- SYS_ADMIN - SYS_ADMIN
drop:
- NET_RAW
runAsUser: 100
{{- end }} {{- end }}

52
nextcloud-aio-helm-chart/templates/nextcloud-aio-database-deployment.yaml
View file

@ -23,6 +23,18 @@ spec:
labels: labels:
io.kompose.service: nextcloud-aio-database io.kompose.service: nextcloud-aio-database
spec: spec:
securityContext:
# The items below only work in pod context
fsGroup: 999
fsGroupChangePolicy: "OnRootMismatch"
# The items below work in both contexts
runAsUser: 999
runAsGroup: 999
runAsNonRoot: true
{{- if eq .Values.RPSS_ENABLED "yes" }}
seccompProfile:
type: RuntimeDefault
{{- end }}
initContainers: initContainers:
- name: init-subpath - name: init-subpath
image: "alpine:3.20" image: "alpine:3.20"
@ -30,26 +42,19 @@ spec:
- mkdir - mkdir
- "-p" - "-p"
- /nextcloud-aio-database/data - /nextcloud-aio-database/data
- /nextcloud-aio-database
- /nextcloud-aio-database-dump
volumeMounts: volumeMounts:
- name: nextcloud-aio-database-dump
mountPath: /nextcloud-aio-database-dump
- name: nextcloud-aio-database
mountPath: /nextcloud-aio-database
- name: init-volumes
image: "alpine:3.20"
command:
- chown
- 999:999
- "-R"
- /nextcloud-aio-database
- /nextcloud-aio-database-dump
volumeMounts:
- name: nextcloud-aio-database-dump
mountPath: /nextcloud-aio-database-dump
- name: nextcloud-aio-database - name: nextcloud-aio-database
mountPath: /nextcloud-aio-database mountPath: /nextcloud-aio-database
securityContext:
# The items below only work in container context
allowPrivilegeEscalation: false
capabilities:
{{- if eq .Values.RPSS_ENABLED "yes" }}
drop: ["ALL"]
{{- else }}
drop: ["NET_RAW"]
{{- end }}
add: ["NET_BIND_SERVICE"]
containers: containers:
- env: - env:
- name: PGTZ - name: PGTZ
@ -62,18 +67,21 @@ spec:
value: nextcloud value: nextcloud
- name: TZ - name: TZ
value: "{{ .Values.TIMEZONE }}" value: "{{ .Values.TIMEZONE }}"
image: "nextcloud/aio-postgresql:20241106_101604" image: nextcloud/aio-postgresql:20241106_101604
name: nextcloud-aio-database name: nextcloud-aio-database
ports: ports:
- containerPort: 5432 - containerPort: 5432
protocol: TCP protocol: TCP
securityContext: securityContext:
# The items below only work in container context
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities: capabilities:
drop: {{- if eq .Values.RPSS_ENABLED "yes" }}
- NET_RAW drop: ["ALL"]
runAsUser: 999 {{- else }}
drop: ["NET_RAW"]
{{- end }}
add: ["NET_BIND_SERVICE"]
volumeMounts: volumeMounts:
- mountPath: /var/lib/postgresql/data - mountPath: /var/lib/postgresql/data
subPath: data subPath: data

8
nextcloud-aio-helm-chart/templates/nextcloud-aio-fulltextsearch-deployment.yaml
View file

@ -56,17 +56,11 @@ spec:
value: basic value: basic
- name: xpack.security.enabled - name: xpack.security.enabled
value: "false" value: "false"
image: "nextcloud/aio-fulltextsearch:20241106_101604" image: nextcloud/aio-fulltextsearch:20241106_101604
name: nextcloud-aio-fulltextsearch name: nextcloud-aio-fulltextsearch
ports: ports:
- containerPort: 9200 - containerPort: 9200
protocol: TCP protocol: TCP
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
drop:
- NET_RAW
volumeMounts: volumeMounts:
- mountPath: /usr/share/elasticsearch/data - mountPath: /usr/share/elasticsearch/data
name: nextcloud-aio-elasticsearch name: nextcloud-aio-elasticsearch

28
nextcloud-aio-helm-chart/templates/nextcloud-aio-imaginary-deployment.yaml
View file

@ -22,24 +22,38 @@ spec:
labels: labels:
io.kompose.service: nextcloud-aio-imaginary io.kompose.service: nextcloud-aio-imaginary
spec: spec:
securityContext:
# The items below only work in pod context
fsGroup: 65534
fsGroupChangePolicy: "OnRootMismatch"
# The items below work in both contexts
runAsUser: 65534
runAsGroup: 65534
runAsNonRoot: true
{{- if eq .Values.RPSS_ENABLED "yes" }}
seccompProfile:
type: RuntimeDefault
{{- end }}
containers: containers:
- env: - env:
- name: IMAGINARY_SECRET - name: IMAGINARY_SECRET
value: "{{ .Values.IMAGINARY_SECRET }}" value: "{{ .Values.IMAGINARY_SECRET }}"
- name: TZ - name: TZ
value: "{{ .Values.TIMEZONE }}" value: "{{ .Values.TIMEZONE }}"
image: "nextcloud/aio-imaginary:20241106_101604" image: nextcloud/aio-imaginary:20241106_101604
name: nextcloud-aio-imaginary name: nextcloud-aio-imaginary
ports: ports:
- containerPort: 9000 - containerPort: 9000
protocol: TCP protocol: TCP
securityContext: securityContext:
# The items below only work in container context
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities: capabilities:
add: {{- if eq .Values.RPSS_ENABLED "yes" }}
- SYS_NICE drop: ["ALL"]
drop: {{- else }}
- NET_RAW drop: ["NET_RAW"]
runAsUser: 65534 {{- end }}
add:
- NET_BIND_SERVICE
{{- end }} {{- end }}

46
nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-deployment.yaml
View file

@ -23,6 +23,20 @@ spec:
labels: labels:
io.kompose.service: nextcloud-aio-nextcloud io.kompose.service: nextcloud-aio-nextcloud
spec: spec:
{{- if eq .Values.RPSS_ENABLED "yes" }} # AIO-config - do not change this comment!
securityContext:
# The items below only work in pod context
fsGroup: 33
fsGroupChangePolicy: "OnRootMismatch"
# The items below work in both contexts
runAsUser: 33
runAsGroup: 33
runAsNonRoot: true
{{- if eq .Values.RPSS_ENABLED "yes" }}
seccompProfile:
type: RuntimeDefault
{{- end }}
{{- end }} # AIO-config - do not change this comment!
initContainers: initContainers:
- name: "delete-lost-found" - name: "delete-lost-found"
image: "alpine:3.20" image: "alpine:3.20"
@ -35,6 +49,19 @@ spec:
mountPath: /nextcloud-aio-nextcloud-trusted-cacerts mountPath: /nextcloud-aio-nextcloud-trusted-cacerts
- name: nextcloud-aio-nextcloud - name: nextcloud-aio-nextcloud
mountPath: /nextcloud-aio-nextcloud mountPath: /nextcloud-aio-nextcloud
{{- if eq .Values.RPSS_ENABLED "yes" }} # AIO-config - do not change this comment!
securityContext:
# The items below only work in container context
allowPrivilegeEscalation: false
capabilities:
{{- if eq .Values.RPSS_ENABLED "yes" }}
drop: ["ALL"]
{{- else }}
drop: ["NET_RAW"]
{{- end }}
add: ["NET_BIND_SERVICE"]
{{- end }} # AIO-config - do not change this comment!
# AIO settings start # Do not remove or change this line!
- name: init-volumes - name: init-volumes
image: "alpine:3.20" image: "alpine:3.20"
command: command:
@ -47,6 +74,7 @@ spec:
mountPath: /nextcloud-aio-nextcloud-trusted-cacerts mountPath: /nextcloud-aio-nextcloud-trusted-cacerts
- name: nextcloud-aio-nextcloud - name: nextcloud-aio-nextcloud
mountPath: /nextcloud-aio-nextcloud mountPath: /nextcloud-aio-nextcloud
# AIO settings end # Do not remove or change this line!
containers: containers:
- env: - env:
- name: SMTP_HOST - name: SMTP_HOST
@ -173,17 +201,25 @@ spec:
value: "{{ .Values.WHITEBOARD_ENABLED }}" value: "{{ .Values.WHITEBOARD_ENABLED }}"
- name: WHITEBOARD_SECRET - name: WHITEBOARD_SECRET
value: "{{ .Values.WHITEBOARD_SECRET }}" value: "{{ .Values.WHITEBOARD_SECRET }}"
image: "nextcloud/aio-nextcloud:20241106_101604" image: nextcloud/aio-nextcloud:20241106_101604
{{- if eq .Values.RPSS_ENABLED "yes" }} # AIO-config - do not change this comment!
securityContext:
# The items below only work in container context
allowPrivilegeEscalation: false
capabilities:
{{- if eq .Values.RPSS_ENABLED "yes" }}
drop: ["ALL"]
{{- else }}
drop: ["NET_RAW"]
{{- end }}
add: ["NET_BIND_SERVICE"]
{{- end }} # AIO-config - do not change this comment!
name: nextcloud-aio-nextcloud name: nextcloud-aio-nextcloud
ports: ports:
- containerPort: 9000 - containerPort: 9000
protocol: TCP protocol: TCP
- containerPort: 9001 - containerPort: 9001
protocol: TCP protocol: TCP
securityContext:
capabilities:
drop:
- NET_RAW
volumeMounts: volumeMounts:
- mountPath: /var/www/html - mountPath: /var/www/html
name: nextcloud-aio-nextcloud name: nextcloud-aio-nextcloud

35
nextcloud-aio-helm-chart/templates/nextcloud-aio-notify-push-deployment.yaml
View file

@ -23,16 +23,18 @@ spec:
labels: labels:
io.kompose.service: nextcloud-aio-notify-push io.kompose.service: nextcloud-aio-notify-push
spec: spec:
initContainers: securityContext:
- name: init-volumes # The items below only work in pod context
image: "alpine:3.20" fsGroup: 33
command: fsGroupChangePolicy: "OnRootMismatch"
- chmod # The items below work in both contexts
- "777" runAsUser: 33
- /nextcloud-aio-nextcloud runAsGroup: 33
volumeMounts: runAsNonRoot: true
- name: nextcloud-aio-nextcloud {{- if eq .Values.RPSS_ENABLED "yes" }}
mountPath: /nextcloud-aio-nextcloud seccompProfile:
type: RuntimeDefault
{{- end }}
containers: containers:
- env: - env:
- name: NC_DOMAIN - name: NC_DOMAIN
@ -53,18 +55,21 @@ spec:
value: nextcloud-aio-redis value: nextcloud-aio-redis
- name: REDIS_HOST_PASSWORD - name: REDIS_HOST_PASSWORD
value: "{{ .Values.REDIS_PASSWORD }}" value: "{{ .Values.REDIS_PASSWORD }}"
image: "nextcloud/aio-notify-push:20241106_101604" image: nextcloud/aio-notify-push:20241106_101604
name: nextcloud-aio-notify-push name: nextcloud-aio-notify-push
ports: ports:
- containerPort: 7867 - containerPort: 7867
protocol: TCP protocol: TCP
securityContext: securityContext:
# The items below only work in container context
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities: capabilities:
drop: {{- if eq .Values.RPSS_ENABLED "yes" }}
- NET_RAW drop: ["ALL"]
runAsUser: 33 {{- else }}
drop: ["NET_RAW"]
{{- end }}
add: ["NET_BIND_SERVICE"]
volumeMounts: volumeMounts:
- mountPath: /nextcloud - mountPath: /nextcloud
name: nextcloud-aio-nextcloud name: nextcloud-aio-nextcloud

6
nextcloud-aio-helm-chart/templates/nextcloud-aio-onlyoffice-deployment.yaml
View file

@ -44,15 +44,11 @@ spec:
value: "{{ .Values.ONLYOFFICE_SECRET }}" value: "{{ .Values.ONLYOFFICE_SECRET }}"
- name: TZ - name: TZ
value: "{{ .Values.TIMEZONE }}" value: "{{ .Values.TIMEZONE }}"
image: "nextcloud/aio-onlyoffice:20241106_101604" image: nextcloud/aio-onlyoffice:20241106_101604
name: nextcloud-aio-onlyoffice name: nextcloud-aio-onlyoffice
ports: ports:
- containerPort: 80 - containerPort: 80
protocol: TCP protocol: TCP
securityContext:
capabilities:
drop:
- NET_RAW
volumeMounts: volumeMounts:
- mountPath: /var/lib/onlyoffice - mountPath: /var/lib/onlyoffice
name: nextcloud-aio-onlyoffice name: nextcloud-aio-onlyoffice

35
nextcloud-aio-helm-chart/templates/nextcloud-aio-redis-deployment.yaml
View file

@ -23,34 +23,39 @@ spec:
labels: labels:
io.kompose.service: nextcloud-aio-redis io.kompose.service: nextcloud-aio-redis
spec: spec:
initContainers: securityContext:
- name: init-volumes # The items below only work in pod context
image: "alpine:3.20" fsGroup: 999
command: fsGroupChangePolicy: "OnRootMismatch"
- chmod # The items below work in both contexts
- "777" runAsUser: 999
- /nextcloud-aio-redis runAsGroup: 999
volumeMounts: runAsNonRoot: true
- name: nextcloud-aio-redis {{- if eq .Values.RPSS_ENABLED "yes" }}
mountPath: /nextcloud-aio-redis seccompProfile:
type: RuntimeDefault
{{- end }}
containers: containers:
- env: - env:
- name: REDIS_HOST_PASSWORD - name: REDIS_HOST_PASSWORD
value: "{{ .Values.REDIS_PASSWORD }}" value: "{{ .Values.REDIS_PASSWORD }}"
- name: TZ - name: TZ
value: "{{ .Values.TIMEZONE }}" value: "{{ .Values.TIMEZONE }}"
image: "nextcloud/aio-redis:20241106_101604" image: nextcloud/aio-redis:20241106_101604
name: nextcloud-aio-redis name: nextcloud-aio-redis
ports: ports:
- containerPort: 6379 - containerPort: 6379
protocol: TCP protocol: TCP
securityContext: securityContext:
# The items below only work in container context
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities: capabilities:
drop: {{- if eq .Values.RPSS_ENABLED "yes" }}
- NET_RAW drop: ["ALL"]
runAsUser: 999 {{- else }}
drop: ["NET_RAW"]
{{- end }}
add: ["NET_BIND_SERVICE"]
volumeMounts: volumeMounts:
- mountPath: /data - mountPath: /data
name: nextcloud-aio-redis name: nextcloud-aio-redis

25
nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-deployment.yaml
View file

@ -22,6 +22,18 @@ spec:
labels: labels:
io.kompose.service: nextcloud-aio-talk io.kompose.service: nextcloud-aio-talk
spec: spec:
securityContext:
# The items below only work in pod context
fsGroup: 1000
fsGroupChangePolicy: "OnRootMismatch"
# The items below work in both contexts
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
{{- if eq .Values.RPSS_ENABLED "yes" }}
seccompProfile:
type: RuntimeDefault
{{- end }}
containers: containers:
- env: - env:
- name: TALK_MAX_STREAM_BITRATE - name: TALK_MAX_STREAM_BITRATE
@ -42,7 +54,7 @@ spec:
value: "{{ .Values.TURN_SECRET }}" value: "{{ .Values.TURN_SECRET }}"
- name: TZ - name: TZ
value: "{{ .Values.TIMEZONE }}" value: "{{ .Values.TIMEZONE }}"
image: "nextcloud/aio-talk:20241106_101604" image: nextcloud/aio-talk:20241106_101604
name: nextcloud-aio-talk name: nextcloud-aio-talk
ports: ports:
- containerPort: {{ .Values.TALK_PORT }} - containerPort: {{ .Values.TALK_PORT }}
@ -52,10 +64,13 @@ spec:
- containerPort: 8081 - containerPort: 8081
protocol: TCP protocol: TCP
securityContext: securityContext:
# The items below only work in container context
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities: capabilities:
drop: {{- if eq .Values.RPSS_ENABLED "yes" }}
- NET_RAW drop: ["ALL"]
runAsUser: 1000 {{- else }}
drop: ["NET_RAW"]
{{- end }}
add: ["NET_BIND_SERVICE"]
{{- end }} {{- end }}

25
nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-recording-deployment.yaml
View file

@ -22,6 +22,18 @@ spec:
labels: labels:
io.kompose.service: nextcloud-aio-talk-recording io.kompose.service: nextcloud-aio-talk-recording
spec: spec:
securityContext:
# The items below only work in pod context
fsGroup: 122
fsGroupChangePolicy: "OnRootMismatch"
# The items below work in both contexts
runAsUser: 122
runAsGroup: 122
runAsNonRoot: true
{{- if eq .Values.RPSS_ENABLED "yes" }}
seccompProfile:
type: RuntimeDefault
{{- end }}
containers: containers:
- env: - env:
- name: INTERNAL_SECRET - name: INTERNAL_SECRET
@ -32,16 +44,19 @@ spec:
value: "{{ .Values.RECORDING_SECRET }}" value: "{{ .Values.RECORDING_SECRET }}"
- name: TZ - name: TZ
value: "{{ .Values.TIMEZONE }}" value: "{{ .Values.TIMEZONE }}"
image: "nextcloud/aio-talk-recording:20241106_101604" image: nextcloud/aio-talk-recording:20241106_101604
name: nextcloud-aio-talk-recording name: nextcloud-aio-talk-recording
ports: ports:
- containerPort: 1234 - containerPort: 1234
protocol: TCP protocol: TCP
securityContext: securityContext:
# The items below only work in container context
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities: capabilities:
drop: {{- if eq .Values.RPSS_ENABLED "yes" }}
- NET_RAW drop: ["ALL"]
runAsUser: 122 {{- else }}
drop: ["NET_RAW"]
{{- end }}
add: ["NET_BIND_SERVICE"]
{{- end }} {{- end }}

25
nextcloud-aio-helm-chart/templates/nextcloud-aio-whiteboard-deployment.yaml
View file

@ -22,6 +22,18 @@ spec:
labels: labels:
io.kompose.service: nextcloud-aio-whiteboard io.kompose.service: nextcloud-aio-whiteboard
spec: spec:
securityContext:
# The items below only work in pod context
fsGroup: 65534
fsGroupChangePolicy: "OnRootMismatch"
# The items below work in both contexts
runAsUser: 65534
runAsGroup: 65534
runAsNonRoot: true
{{- if eq .Values.RPSS_ENABLED "yes" }}
seccompProfile:
type: RuntimeDefault
{{- end }}
containers: containers:
- env: - env:
- name: JWT_SECRET_KEY - name: JWT_SECRET_KEY
@ -36,16 +48,19 @@ spec:
value: redis value: redis
- name: TZ - name: TZ
value: "{{ .Values.TIMEZONE }}" value: "{{ .Values.TIMEZONE }}"
image: "nextcloud/aio-whiteboard:20241106_101604" image: nextcloud/aio-whiteboard:20241106_101604
name: nextcloud-aio-whiteboard name: nextcloud-aio-whiteboard
ports: ports:
- containerPort: 3002 - containerPort: 3002
protocol: TCP protocol: TCP
securityContext: securityContext:
# The items below only work in container context
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities: capabilities:
drop: {{- if eq .Values.RPSS_ENABLED "yes" }}
- NET_RAW drop: ["ALL"]
runAsUser: 65534 {{- else }}
drop: ["NET_RAW"]
{{- end }}
add: ["NET_BIND_SERVICE"]
{{- end }} {{- end }}

113
nextcloud-aio-helm-chart/update-helm.sh
View file

@ -50,6 +50,11 @@ yq -i 'del(.services.[].profiles)' latest.yml
# Delete read_only and tmpfs setting while https://github.com/kubernetes/kubernetes/issues/48912 is not fixed # Delete read_only and tmpfs setting while https://github.com/kubernetes/kubernetes/issues/48912 is not fixed
yq -i 'del(.services.[].read_only)' latest.yml yq -i 'del(.services.[].read_only)' latest.yml
yq -i 'del(.services.[].tmpfs)' latest.yml yq -i 'del(.services.[].tmpfs)' latest.yml
# Remove cap_drop in order to add it later again easier
yq -i 'del(.services.[].cap_drop)' latest.yml
# Remove SYS_NICE for imaginary as it is not supported with RPSS
sed -i "s|- SYS_NICE$|- NET_BIND_SERVICE|" latest.yml
cat latest.yml cat latest.yml
kompose convert -c -f latest.yml --namespace nextcloud-aio-namespace kompose convert -c -f latest.yml --namespace nextcloud-aio-namespace
cd latest cd latest
@ -76,14 +81,10 @@ cat << EOL > /tmp/initcontainers.database
- mkdir - mkdir
- "-p" - "-p"
- /nextcloud-aio-database/data - /nextcloud-aio-database/data
volumeMountsInitContainer: volumeMounts:
- name: init-volumes - name: nextcloud-aio-database
image: "alpine:3.20" mountPath: /nextcloud-aio-database
command: securityContext:
- chown
- 999:999
- "-R"
volumeMountsInitContainer:
EOL EOL
cat << EOL > /tmp/initcontainers.clamav cat << EOL > /tmp/initcontainers.clamav
initContainers: initContainers:
@ -93,14 +94,10 @@ cat << EOL > /tmp/initcontainers.clamav
- mkdir - mkdir
- "-p" - "-p"
- /nextcloud-aio-clamav/data - /nextcloud-aio-clamav/data
volumeMountsInitContainer: volumeMounts:
- name: init-volumes - name: nextcloud-aio-clamav
image: "alpine:3.20" mountPath: /nextcloud-aio-clamav
command: securityContext:
- chown
- 100:100
- "-R"
volumeMountsInitContainer:
EOL EOL
cat << EOL > /tmp/initcontainers.nextcloud cat << EOL > /tmp/initcontainers.nextcloud
initContainers: initContainers:
@ -111,13 +108,19 @@ cat << EOL > /tmp/initcontainers.nextcloud
- "-rf" - "-rf"
- "/nextcloud-aio-nextcloud/lost+found" - "/nextcloud-aio-nextcloud/lost+found"
volumeMountsInitRmLostFound: volumeMountsInitRmLostFound:
{{- if eq .Values.RPSS_ENABLED "yes" }} # AIO-config - do not change this comment!
securityContext:
{{- end }} # AIO-config - do not change this comment!
# AIO settings start # Do not remove or change this line!
- name: init-volumes - name: init-volumes
image: "alpine:3.20" image: "alpine:3.20"
command: command:
- chmod - chmod
- "777" - "777"
volumeMountsInitContainer: volumeMountsInitContainer:
# AIO settings end # Do not remove or change this line!
EOL EOL
# shellcheck disable=SC1083 # shellcheck disable=SC1083
DEPLOYMENTS="$(find ./ -name '*deployment.yaml')" DEPLOYMENTS="$(find ./ -name '*deployment.yaml')"
mapfile -t DEPLOYMENTS <<< "$DEPLOYMENTS" mapfile -t DEPLOYMENTS <<< "$DEPLOYMENTS"
@ -129,7 +132,7 @@ for variable in "${DEPLOYMENTS[@]}"; do
sed -i "/^ spec:/r /tmp/initcontainers.clamav" "$variable" sed -i "/^ spec:/r /tmp/initcontainers.clamav" "$variable"
elif echo "$variable" | grep -q "nextcloud-deployment.yaml"; then elif echo "$variable" | grep -q "nextcloud-deployment.yaml"; then
sed -i "/^ spec:/r /tmp/initcontainers.nextcloud" "$variable" sed -i "/^ spec:/r /tmp/initcontainers.nextcloud" "$variable"
else elif echo "$variable" | grep -q "fulltextsearch" || echo "$variable" | grep -q "onlyoffice" || echo "$variable" | grep -q "collabora"; then
sed -i "/^ spec:/r /tmp/initcontainers" "$variable" sed -i "/^ spec:/r /tmp/initcontainers" "$variable"
fi fi
volumeNames="$(grep -A1 mountPath "$variable" | grep -v mountPath | sed 's|.*name: ||' | sed '/^--$/d')" volumeNames="$(grep -A1 mountPath "$variable" | grep -v mountPath | sed 's|.*name: ||' | sed '/^--$/d')"
@ -161,6 +164,39 @@ for variable in "${DEPLOYMENTS[@]}"; do
done done
fi fi
fi fi
if grep -q runAsUser "$variable" || echo "$variable" | grep -q "nextcloud-deployment.yaml"; then
if echo "$variable" | grep -q "nextcloud-deployment.yaml"; then
USER=33
GROUP=33
echo ' {{- if eq .Values.RPSS_ENABLED "yes" }} # AIO-config - do not change this comment!' > /tmp/pod.securityContext
else
USER="$(grep runAsUser "$variable" | grep -oP '[0-9]+')"
GROUP="$USER"
rm -f /tmp/pod.securityContext
fi
sed -i "/runAsUser:/d" "$variable"
sed -i "/capabilities:/d" "$variable"
if [ -n "$USER" ]; then
cat << EOL >> /tmp/pod.securityContext
securityContext:
# The items below only work in pod context
fsGroup: $USER
fsGroupChangePolicy: "OnRootMismatch"
# The items below work in both contexts
runAsUser: $USER
runAsGroup: $GROUP
runAsNonRoot: true
{{- if eq .Values.RPSS_ENABLED "yes" }}
seccompProfile:
type: RuntimeDefault
{{- end }}
EOL
if echo "$variable" | grep -q "nextcloud-deployment.yaml"; then
echo " {{- end }} # AIO-config - do not change this comment!" >> /tmp/pod.securityContext
fi
sed -i "/^ spec:$/r /tmp/pod.securityContext" "$variable"
fi
fi
done done
# shellcheck disable=SC1083 # shellcheck disable=SC1083
find ./ -name '*.yaml' -exec sed -i 's|nextcloud-aio-namespace|"\{\{ .Values.NAMESPACE \}\}"|' \{} \; find ./ -name '*.yaml' -exec sed -i 's|nextcloud-aio-namespace|"\{\{ .Values.NAMESPACE \}\}"|' \{} \;
@ -416,12 +452,49 @@ find ./ -name "*nextcloud-aio-elasticsearch-persistentvolumeclaim.yaml" -exec se
# shellcheck disable=SC1083 # shellcheck disable=SC1083
find ./ -name "*nextcloud-aio-elasticsearch-persistentvolumeclaim.yaml" -exec sed -i "$ a {{- end }}" \{} \; find ./ -name "*nextcloud-aio-elasticsearch-persistentvolumeclaim.yaml" -exec sed -i "$ a {{- end }}" \{} \;
cat << EOL >> /tmp/security.conf cat << EOL > /tmp/security.conf
# The items below only work in container context
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
runAsNonRoot: true capabilities:
{{- if eq .Values.RPSS_ENABLED "yes" }}
drop: ["ALL"]
{{- else }}
drop: ["NET_RAW"]
{{- end }}
add: ["NET_BIND_SERVICE"]
EOL EOL
# shellcheck disable=SC1083 # shellcheck disable=SC1083
find ./ \( -not -name '*nextcloud-deployment.yaml*' -not -name '*onlyoffice-deployment.yaml*' -name "*deployment.yaml" \) -exec sed -i "/^.*securityContext:$/r /tmp/security.conf" \{} \; find ./ \( -not -name '*collabora-deployment.yaml*' -not -name '*imaginary-deployment.yaml*' -not -name '*onlyoffice-deployment.yaml*' -name "*deployment.yaml" \) -exec sed -i "/^ securityContext:$/r /tmp/security.conf" \{} \;
cat << EOL > /tmp/security.conf
# The items below only work in container context
allowPrivilegeEscalation: false
capabilities:
{{- if eq .Values.RPSS_ENABLED "yes" }}
drop: ["ALL"]
{{- else }}
drop: ["NET_RAW"]
{{- end }}
EOL
# shellcheck disable=SC1083
find ./ -name '*imaginary-deployment.yaml*' -exec sed -i "/^ securityContext:$/r /tmp/security.conf" \{} \;
cat << EOL > /tmp/security.conf
{{- if eq .Values.RPSS_ENABLED "yes" }} # AIO-config - do not change this comment!
securityContext:
# The items below only work in container context
allowPrivilegeEscalation: false
capabilities:
{{- if eq .Values.RPSS_ENABLED "yes" }}
drop: ["ALL"]
{{- else }}
drop: ["NET_RAW"]
{{- end }}
add: ["NET_BIND_SERVICE"]
{{- end }} # AIO-config - do not change this comment!
EOL
# shellcheck disable=SC1083
find ./ -name '*nextcloud-deployment.yaml*' -exec sed -i "/nextcloud\/aio-nextcloud:.*/r /tmp/security.conf" \{} \;
chmod 777 -R ./ chmod 777 -R ./

1
php/containers.json
View file

@ -332,7 +332,6 @@
"documentation": "https://github.com/nextcloud/all-in-one/discussions/1358", "documentation": "https://github.com/nextcloud/all-in-one/discussions/1358",
"display_name": "Collabora", "display_name": "Collabora",
"image": "nextcloud/aio-collabora", "image": "nextcloud/aio-collabora",
"user": "100",
"init": true, "init": true,
"expose": [ "expose": [
"9980" "9980"