From 11a1f6893cae4b310c2a1266189d6820438f76fa Mon Sep 17 00:00:00 2001 From: "Simon L." Date: Fri, 15 Nov 2024 16:52:55 +0100 Subject: [PATCH] helm: refactor securityContext to support restricted pod security standard Signed-off-by: Simon L. --- manual-install/latest.yml | 1 - .../nextcloud-aio-apache-deployment.yaml | 38 +++--- .../nextcloud-aio-clamav-deployment.yaml | 46 +++++--- .../nextcloud-aio-collabora-deployment.yaml | 7 +- .../nextcloud-aio-database-deployment.yaml | 52 +++++---- ...xtcloud-aio-fulltextsearch-deployment.yaml | 8 +- .../nextcloud-aio-imaginary-deployment.yaml | 24 +++- .../nextcloud-aio-nextcloud-deployment.yaml | 45 +++++++- .../nextcloud-aio-notify-push-deployment.yaml | 35 +++--- .../nextcloud-aio-onlyoffice-deployment.yaml | 6 +- .../nextcloud-aio-redis-deployment.yaml | 35 +++--- .../nextcloud-aio-talk-deployment.yaml | 25 +++- ...xtcloud-aio-talk-recording-deployment.yaml | 25 +++- .../nextcloud-aio-whiteboard-deployment.yaml | 25 +++- nextcloud-aio-helm-chart/update-helm.sh | 109 ++++++++++++++---- php/containers.json | 1 - 16 files changed, 331 insertions(+), 151 deletions(-) diff --git a/manual-install/latest.yml b/manual-install/latest.yml index 90c197b8c9fc..571c9a7e5d4c 100644 --- a/manual-install/latest.yml +++ b/manual-install/latest.yml @@ -202,7 +202,6 @@ services: nextcloud-aio-collabora: image: nextcloud/aio-collabora:latest - user: "100" init: true expose: - "9980" diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-deployment.yaml index 4eda439feca1..7cf78bf052f2 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-deployment.yaml @@ -23,19 +23,18 @@ spec: labels: io.kompose.service: nextcloud-aio-apache spec: - initContainers: - - name: init-volumes - image: "alpine:3.20" - command: - - chmod - - "777" - - /nextcloud-aio-nextcloud - - /nextcloud-aio-apache - volumeMounts: - - name: nextcloud-aio-apache - mountPath: /nextcloud-aio-apache - - name: nextcloud-aio-nextcloud - mountPath: /nextcloud-aio-nextcloud + securityContext: + # The items below only work in pod context + fsGroup: 33 + fsGroupChangePolicy: "OnRootMismatch" + # The items below work in both contexts + runAsUser: 33 + runAsGroup: 33 + runAsNonRoot: true + {{- if eq .Values.RPSS_ENABLED "yes" }} + seccompProfile: + type: RuntimeDefault + {{- end }} containers: - env: - name: ADDITIONAL_TRUSTED_DOMAIN @@ -64,7 +63,7 @@ spec: value: "{{ .Values.TIMEZONE }}" - name: WHITEBOARD_HOST value: nextcloud-aio-whiteboard - image: "nextcloud/aio-apache:20241106_101604" + image: nextcloud/aio-apache:20241106_101604 name: nextcloud-aio-apache ports: - containerPort: {{ .Values.APACHE_PORT }} @@ -72,12 +71,15 @@ spec: - containerPort: {{ .Values.APACHE_PORT }} protocol: UDP securityContext: + # The items below only work in container context allowPrivilegeEscalation: false - runAsNonRoot: true capabilities: - drop: - - NET_RAW - runAsUser: 33 + {{- if eq .Values.RPSS_ENABLED "yes" }} + drop: ["ALL"] + {{- else }} + drop: ["NET_RAW"] + {{- end }} + add: ["NET_BIND_SERVICE"] volumeMounts: - mountPath: /var/www/html name: nextcloud-aio-nextcloud diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-deployment.yaml index 132e464c3f7a..ea3b379f20e7 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-deployment.yaml @@ -24,6 +24,18 @@ spec: labels: io.kompose.service: nextcloud-aio-clamav spec: + securityContext: + # The items below only work in pod context + fsGroup: 100 + fsGroupChangePolicy: "OnRootMismatch" + # The items below work in both contexts + runAsUser: 100 + runAsGroup: 100 + runAsNonRoot: true + {{- if eq .Values.RPSS_ENABLED "yes" }} + seccompProfile: + type: RuntimeDefault + {{- end }} initContainers: - name: init-subpath image: "alpine:3.20" @@ -31,20 +43,19 @@ spec: - mkdir - "-p" - /nextcloud-aio-clamav/data - - /nextcloud-aio-clamav - volumeMounts: - - name: nextcloud-aio-clamav - mountPath: /nextcloud-aio-clamav - - name: init-volumes - image: "alpine:3.20" - command: - - chown - - 100:100 - - "-R" - - /nextcloud-aio-clamav volumeMounts: - name: nextcloud-aio-clamav mountPath: /nextcloud-aio-clamav + securityContext: + # The items below only work in container context + allowPrivilegeEscalation: false + capabilities: + {{- if eq .Values.RPSS_ENABLED "yes" }} + drop: ["ALL"] + {{- else }} + drop: ["NET_RAW"] + {{- end }} + add: ["NET_BIND_SERVICE"] containers: - env: - name: CLAMD_STARTUP_TIMEOUT @@ -53,18 +64,21 @@ spec: value: "{{ .Values.NEXTCLOUD_UPLOAD_LIMIT }}" - name: TZ value: "{{ .Values.TIMEZONE }}" - image: "nextcloud/aio-clamav:20241106_101604" + image: nextcloud/aio-clamav:20241106_101604 name: nextcloud-aio-clamav ports: - containerPort: 3310 protocol: TCP securityContext: + # The items below only work in container context allowPrivilegeEscalation: false - runAsNonRoot: true capabilities: - drop: - - NET_RAW - runAsUser: 100 + {{- if eq .Values.RPSS_ENABLED "yes" }} + drop: ["ALL"] + {{- else }} + drop: ["NET_RAW"] + {{- end }} + add: ["NET_BIND_SERVICE"] volumeMounts: - mountPath: /var/lib/clamav subPath: data diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-deployment.yaml index e43aa08ad9b8..c74355cd9836 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-deployment.yaml @@ -36,19 +36,14 @@ spec: value: --o:ssl.enable=false --o:ssl.termination=true --o:mount_jail_tree=false --o:logging.level=warning --o:home_mode.enable=true {{ .Values.COLLABORA_SECCOMP_POLICY }} --o:remote_font_config.url=https://{{ .Values.NC_DOMAIN }}/apps/richdocuments/settings/fonts.json - name: server_name value: "{{ .Values.NC_DOMAIN }}" - image: "nextcloud/aio-collabora:20241106_101604" + image: nextcloud/aio-collabora:20241106_101604 name: nextcloud-aio-collabora ports: - containerPort: 9980 protocol: TCP securityContext: - allowPrivilegeEscalation: false - runAsNonRoot: true capabilities: add: - MKNOD - SYS_ADMIN - drop: - - NET_RAW - runAsUser: 100 {{- end }} diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-database-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-database-deployment.yaml index 710a47185c71..fc547697500d 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-database-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-database-deployment.yaml @@ -23,6 +23,18 @@ spec: labels: io.kompose.service: nextcloud-aio-database spec: + securityContext: + # The items below only work in pod context + fsGroup: 999 + fsGroupChangePolicy: "OnRootMismatch" + # The items below work in both contexts + runAsUser: 999 + runAsGroup: 999 + runAsNonRoot: true + {{- if eq .Values.RPSS_ENABLED "yes" }} + seccompProfile: + type: RuntimeDefault + {{- end }} initContainers: - name: init-subpath image: "alpine:3.20" @@ -30,26 +42,19 @@ spec: - mkdir - "-p" - /nextcloud-aio-database/data - - /nextcloud-aio-database - - /nextcloud-aio-database-dump volumeMounts: - - name: nextcloud-aio-database-dump - mountPath: /nextcloud-aio-database-dump - - name: nextcloud-aio-database - mountPath: /nextcloud-aio-database - - name: init-volumes - image: "alpine:3.20" - command: - - chown - - 999:999 - - "-R" - - /nextcloud-aio-database - - /nextcloud-aio-database-dump - volumeMounts: - - name: nextcloud-aio-database-dump - mountPath: /nextcloud-aio-database-dump - name: nextcloud-aio-database mountPath: /nextcloud-aio-database + securityContext: + # The items below only work in container context + allowPrivilegeEscalation: false + capabilities: + {{- if eq .Values.RPSS_ENABLED "yes" }} + drop: ["ALL"] + {{- else }} + drop: ["NET_RAW"] + {{- end }} + add: ["NET_BIND_SERVICE"] containers: - env: - name: PGTZ @@ -62,18 +67,21 @@ spec: value: nextcloud - name: TZ value: "{{ .Values.TIMEZONE }}" - image: "nextcloud/aio-postgresql:20241106_101604" + image: nextcloud/aio-postgresql:20241106_101604 name: nextcloud-aio-database ports: - containerPort: 5432 protocol: TCP securityContext: + # The items below only work in container context allowPrivilegeEscalation: false - runAsNonRoot: true capabilities: - drop: - - NET_RAW - runAsUser: 999 + {{- if eq .Values.RPSS_ENABLED "yes" }} + drop: ["ALL"] + {{- else }} + drop: ["NET_RAW"] + {{- end }} + add: ["NET_BIND_SERVICE"] volumeMounts: - mountPath: /var/lib/postgresql/data subPath: data diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-fulltextsearch-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-fulltextsearch-deployment.yaml index d87d1c89bf33..fdd5ca08d951 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-fulltextsearch-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-fulltextsearch-deployment.yaml @@ -56,17 +56,11 @@ spec: value: basic - name: xpack.security.enabled value: "false" - image: "nextcloud/aio-fulltextsearch:20241106_101604" + image: nextcloud/aio-fulltextsearch:20241106_101604 name: nextcloud-aio-fulltextsearch ports: - containerPort: 9200 protocol: TCP - securityContext: - allowPrivilegeEscalation: false - runAsNonRoot: true - capabilities: - drop: - - NET_RAW volumeMounts: - mountPath: /usr/share/elasticsearch/data name: nextcloud-aio-elasticsearch diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-imaginary-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-imaginary-deployment.yaml index 6535b6a9c3e7..dc71fc6e1d70 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-imaginary-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-imaginary-deployment.yaml @@ -22,24 +22,38 @@ spec: labels: io.kompose.service: nextcloud-aio-imaginary spec: + securityContext: + # The items below only work in pod context + fsGroup: 65534 + fsGroupChangePolicy: "OnRootMismatch" + # The items below work in both contexts + runAsUser: 65534 + runAsGroup: 65534 + runAsNonRoot: true + {{- if eq .Values.RPSS_ENABLED "yes" }} + seccompProfile: + type: RuntimeDefault + {{- end }} containers: - env: - name: IMAGINARY_SECRET value: "{{ .Values.IMAGINARY_SECRET }}" - name: TZ value: "{{ .Values.TIMEZONE }}" - image: "nextcloud/aio-imaginary:20241106_101604" + image: nextcloud/aio-imaginary:20241106_101604 name: nextcloud-aio-imaginary ports: - containerPort: 9000 protocol: TCP securityContext: + # The items below only work in container context allowPrivilegeEscalation: false - runAsNonRoot: true capabilities: + {{- if eq .Values.RPSS_ENABLED "yes" }} + drop: ["ALL"] + {{- else }} + drop: ["NET_RAW"] + {{- end }} add: - SYS_NICE - drop: - - NET_RAW - runAsUser: 65534 {{- end }} diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-deployment.yaml index 6b3f4a178352..4898b2b7796e 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-deployment.yaml @@ -23,6 +23,20 @@ spec: labels: io.kompose.service: nextcloud-aio-nextcloud spec: + {{- if eq .Values.RPSS_ENABLED "yes" }} # AIO-config - do not change this comment! + securityContext: + # The items below only work in pod context + fsGroup: 33 + fsGroupChangePolicy: "OnRootMismatch" + # The items below work in both contexts + runAsUser: 33 + runAsGroup: 33 + runAsNonRoot: true + {{- if eq .Values.RPSS_ENABLED "yes" }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} # AIO-config - do not change this comment! initContainers: - name: "delete-lost-found" image: "alpine:3.20" @@ -35,6 +49,19 @@ spec: mountPath: /nextcloud-aio-nextcloud-trusted-cacerts - name: nextcloud-aio-nextcloud mountPath: /nextcloud-aio-nextcloud + {{- if eq .Values.RPSS_ENABLED "yes" }} # AIO-config - do not change this comment! + securityContext: + # The items below only work in container context + allowPrivilegeEscalation: false + capabilities: + {{- if eq .Values.RPSS_ENABLED "yes" }} + drop: ["ALL"] + {{- else }} + drop: ["NET_RAW"] + {{- end }} + add: ["NET_BIND_SERVICE"] + {{- end }} # AIO-config - do not change this comment! +# AIO settings start # Do not remove or change this line! - name: init-volumes image: "alpine:3.20" command: @@ -47,6 +74,7 @@ spec: mountPath: /nextcloud-aio-nextcloud-trusted-cacerts - name: nextcloud-aio-nextcloud mountPath: /nextcloud-aio-nextcloud +# AIO settings end # Do not remove or change this line! containers: - env: - name: SMTP_HOST @@ -173,17 +201,24 @@ spec: value: "{{ .Values.WHITEBOARD_ENABLED }}" - name: WHITEBOARD_SECRET value: "{{ .Values.WHITEBOARD_SECRET }}" - image: "nextcloud/aio-nextcloud:20241106_101604" + image: nextcloud/aio-nextcloud:20241106_101604 + {{- if eq .Values.RPSS_ENABLED "yes" }} # AIO-config - do not change this comment! + # The items below only work in container context + allowPrivilegeEscalation: false + capabilities: + {{- if eq .Values.RPSS_ENABLED "yes" }} + drop: ["ALL"] + {{- else }} + drop: ["NET_RAW"] + {{- end }} + add: ["NET_BIND_SERVICE"] + {{- end }} # AIO-config - do not change this comment! name: nextcloud-aio-nextcloud ports: - containerPort: 9000 protocol: TCP - containerPort: 9001 protocol: TCP - securityContext: - capabilities: - drop: - - NET_RAW volumeMounts: - mountPath: /var/www/html name: nextcloud-aio-nextcloud diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-notify-push-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-notify-push-deployment.yaml index 71ff99872cd4..086ebd5b8583 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-notify-push-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-notify-push-deployment.yaml @@ -23,16 +23,18 @@ spec: labels: io.kompose.service: nextcloud-aio-notify-push spec: - initContainers: - - name: init-volumes - image: "alpine:3.20" - command: - - chmod - - "777" - - /nextcloud-aio-nextcloud - volumeMounts: - - name: nextcloud-aio-nextcloud - mountPath: /nextcloud-aio-nextcloud + securityContext: + # The items below only work in pod context + fsGroup: 33 + fsGroupChangePolicy: "OnRootMismatch" + # The items below work in both contexts + runAsUser: 33 + runAsGroup: 33 + runAsNonRoot: true + {{- if eq .Values.RPSS_ENABLED "yes" }} + seccompProfile: + type: RuntimeDefault + {{- end }} containers: - env: - name: NC_DOMAIN @@ -53,18 +55,21 @@ spec: value: nextcloud-aio-redis - name: REDIS_HOST_PASSWORD value: "{{ .Values.REDIS_PASSWORD }}" - image: "nextcloud/aio-notify-push:20241106_101604" + image: nextcloud/aio-notify-push:20241106_101604 name: nextcloud-aio-notify-push ports: - containerPort: 7867 protocol: TCP securityContext: + # The items below only work in container context allowPrivilegeEscalation: false - runAsNonRoot: true capabilities: - drop: - - NET_RAW - runAsUser: 33 + {{- if eq .Values.RPSS_ENABLED "yes" }} + drop: ["ALL"] + {{- else }} + drop: ["NET_RAW"] + {{- end }} + add: ["NET_BIND_SERVICE"] volumeMounts: - mountPath: /nextcloud name: nextcloud-aio-nextcloud diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-onlyoffice-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-onlyoffice-deployment.yaml index 9c4b48bbef85..9a69e6608438 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-onlyoffice-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-onlyoffice-deployment.yaml @@ -44,15 +44,11 @@ spec: value: "{{ .Values.ONLYOFFICE_SECRET }}" - name: TZ value: "{{ .Values.TIMEZONE }}" - image: "nextcloud/aio-onlyoffice:20241106_101604" + image: nextcloud/aio-onlyoffice:20241106_101604 name: nextcloud-aio-onlyoffice ports: - containerPort: 80 protocol: TCP - securityContext: - capabilities: - drop: - - NET_RAW volumeMounts: - mountPath: /var/lib/onlyoffice name: nextcloud-aio-onlyoffice diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-redis-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-redis-deployment.yaml index efcd16562e6b..3acd1e05d525 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-redis-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-redis-deployment.yaml @@ -23,34 +23,39 @@ spec: labels: io.kompose.service: nextcloud-aio-redis spec: - initContainers: - - name: init-volumes - image: "alpine:3.20" - command: - - chmod - - "777" - - /nextcloud-aio-redis - volumeMounts: - - name: nextcloud-aio-redis - mountPath: /nextcloud-aio-redis + securityContext: + # The items below only work in pod context + fsGroup: 999 + fsGroupChangePolicy: "OnRootMismatch" + # The items below work in both contexts + runAsUser: 999 + runAsGroup: 999 + runAsNonRoot: true + {{- if eq .Values.RPSS_ENABLED "yes" }} + seccompProfile: + type: RuntimeDefault + {{- end }} containers: - env: - name: REDIS_HOST_PASSWORD value: "{{ .Values.REDIS_PASSWORD }}" - name: TZ value: "{{ .Values.TIMEZONE }}" - image: "nextcloud/aio-redis:20241106_101604" + image: nextcloud/aio-redis:20241106_101604 name: nextcloud-aio-redis ports: - containerPort: 6379 protocol: TCP securityContext: + # The items below only work in container context allowPrivilegeEscalation: false - runAsNonRoot: true capabilities: - drop: - - NET_RAW - runAsUser: 999 + {{- if eq .Values.RPSS_ENABLED "yes" }} + drop: ["ALL"] + {{- else }} + drop: ["NET_RAW"] + {{- end }} + add: ["NET_BIND_SERVICE"] volumeMounts: - mountPath: /data name: nextcloud-aio-redis diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-deployment.yaml index db2ab85f7d76..c09b67587e87 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-deployment.yaml @@ -22,6 +22,18 @@ spec: labels: io.kompose.service: nextcloud-aio-talk spec: + securityContext: + # The items below only work in pod context + fsGroup: 1000 + fsGroupChangePolicy: "OnRootMismatch" + # The items below work in both contexts + runAsUser: 1000 + runAsGroup: 1000 + runAsNonRoot: true + {{- if eq .Values.RPSS_ENABLED "yes" }} + seccompProfile: + type: RuntimeDefault + {{- end }} containers: - env: - name: TALK_MAX_STREAM_BITRATE @@ -42,7 +54,7 @@ spec: value: "{{ .Values.TURN_SECRET }}" - name: TZ value: "{{ .Values.TIMEZONE }}" - image: "nextcloud/aio-talk:20241106_101604" + image: nextcloud/aio-talk:20241106_101604 name: nextcloud-aio-talk ports: - containerPort: {{ .Values.TALK_PORT }} @@ -52,10 +64,13 @@ spec: - containerPort: 8081 protocol: TCP securityContext: + # The items below only work in container context allowPrivilegeEscalation: false - runAsNonRoot: true capabilities: - drop: - - NET_RAW - runAsUser: 1000 + {{- if eq .Values.RPSS_ENABLED "yes" }} + drop: ["ALL"] + {{- else }} + drop: ["NET_RAW"] + {{- end }} + add: ["NET_BIND_SERVICE"] {{- end }} diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-recording-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-recording-deployment.yaml index c5dccf0e7e8c..62289b01f8f2 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-recording-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-recording-deployment.yaml @@ -22,6 +22,18 @@ spec: labels: io.kompose.service: nextcloud-aio-talk-recording spec: + securityContext: + # The items below only work in pod context + fsGroup: 122 + fsGroupChangePolicy: "OnRootMismatch" + # The items below work in both contexts + runAsUser: 122 + runAsGroup: 122 + runAsNonRoot: true + {{- if eq .Values.RPSS_ENABLED "yes" }} + seccompProfile: + type: RuntimeDefault + {{- end }} containers: - env: - name: INTERNAL_SECRET @@ -32,16 +44,19 @@ spec: value: "{{ .Values.RECORDING_SECRET }}" - name: TZ value: "{{ .Values.TIMEZONE }}" - image: "nextcloud/aio-talk-recording:20241106_101604" + image: nextcloud/aio-talk-recording:20241106_101604 name: nextcloud-aio-talk-recording ports: - containerPort: 1234 protocol: TCP securityContext: + # The items below only work in container context allowPrivilegeEscalation: false - runAsNonRoot: true capabilities: - drop: - - NET_RAW - runAsUser: 122 + {{- if eq .Values.RPSS_ENABLED "yes" }} + drop: ["ALL"] + {{- else }} + drop: ["NET_RAW"] + {{- end }} + add: ["NET_BIND_SERVICE"] {{- end }} diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-whiteboard-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-whiteboard-deployment.yaml index c374d64073d3..1b9da32cbc49 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-whiteboard-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-whiteboard-deployment.yaml @@ -22,6 +22,18 @@ spec: labels: io.kompose.service: nextcloud-aio-whiteboard spec: + securityContext: + # The items below only work in pod context + fsGroup: 65534 + fsGroupChangePolicy: "OnRootMismatch" + # The items below work in both contexts + runAsUser: 65534 + runAsGroup: 65534 + runAsNonRoot: true + {{- if eq .Values.RPSS_ENABLED "yes" }} + seccompProfile: + type: RuntimeDefault + {{- end }} containers: - env: - name: JWT_SECRET_KEY @@ -36,16 +48,19 @@ spec: value: redis - name: TZ value: "{{ .Values.TIMEZONE }}" - image: "nextcloud/aio-whiteboard:20241106_101604" + image: nextcloud/aio-whiteboard:20241106_101604 name: nextcloud-aio-whiteboard ports: - containerPort: 3002 protocol: TCP securityContext: + # The items below only work in container context allowPrivilegeEscalation: false - runAsNonRoot: true capabilities: - drop: - - NET_RAW - runAsUser: 65534 + {{- if eq .Values.RPSS_ENABLED "yes" }} + drop: ["ALL"] + {{- else }} + drop: ["NET_RAW"] + {{- end }} + add: ["NET_BIND_SERVICE"] {{- end }} diff --git a/nextcloud-aio-helm-chart/update-helm.sh b/nextcloud-aio-helm-chart/update-helm.sh index 4ceeb36bc983..987800068f86 100755 --- a/nextcloud-aio-helm-chart/update-helm.sh +++ b/nextcloud-aio-helm-chart/update-helm.sh @@ -50,6 +50,8 @@ yq -i 'del(.services.[].profiles)' latest.yml # Delete read_only and tmpfs setting while https://github.com/kubernetes/kubernetes/issues/48912 is not fixed yq -i 'del(.services.[].read_only)' latest.yml yq -i 'del(.services.[].tmpfs)' latest.yml +# Remove cap_drop in order to add it later again easier +yq -i 'del(.services.[].cap_drop)' latest.yml cat latest.yml kompose convert -c -f latest.yml --namespace nextcloud-aio-namespace cd latest @@ -76,14 +78,10 @@ cat << EOL > /tmp/initcontainers.database - mkdir - "-p" - /nextcloud-aio-database/data - volumeMountsInitContainer: - - name: init-volumes - image: "alpine:3.20" - command: - - chown - - 999:999 - - "-R" - volumeMountsInitContainer: + volumeMounts: + - name: nextcloud-aio-database + mountPath: /nextcloud-aio-database + securityContext: EOL cat << EOL > /tmp/initcontainers.clamav initContainers: @@ -93,14 +91,10 @@ cat << EOL > /tmp/initcontainers.clamav - mkdir - "-p" - /nextcloud-aio-clamav/data - volumeMountsInitContainer: - - name: init-volumes - image: "alpine:3.20" - command: - - chown - - 100:100 - - "-R" - volumeMountsInitContainer: + volumeMounts: + - name: nextcloud-aio-clamav + mountPath: /nextcloud-aio-clamav + securityContext: EOL cat << EOL > /tmp/initcontainers.nextcloud initContainers: @@ -111,13 +105,19 @@ cat << EOL > /tmp/initcontainers.nextcloud - "-rf" - "/nextcloud-aio-nextcloud/lost+found" volumeMountsInitRmLostFound: + {{- if eq .Values.RPSS_ENABLED "yes" }} # AIO-config - do not change this comment! + securityContext: + {{- end }} # AIO-config - do not change this comment! +# AIO settings start # Do not remove or change this line! - name: init-volumes image: "alpine:3.20" command: - chmod - "777" volumeMountsInitContainer: +# AIO settings end # Do not remove or change this line! EOL + # shellcheck disable=SC1083 DEPLOYMENTS="$(find ./ -name '*deployment.yaml')" mapfile -t DEPLOYMENTS <<< "$DEPLOYMENTS" @@ -129,7 +129,7 @@ for variable in "${DEPLOYMENTS[@]}"; do sed -i "/^ spec:/r /tmp/initcontainers.clamav" "$variable" elif echo "$variable" | grep -q "nextcloud-deployment.yaml"; then sed -i "/^ spec:/r /tmp/initcontainers.nextcloud" "$variable" - else + elif echo "$variable" | grep -q "fulltextsearch" || echo "$variable" | grep -q "onlyoffice" || echo "$variable" | grep -q "collabora"; then sed -i "/^ spec:/r /tmp/initcontainers" "$variable" fi volumeNames="$(grep -A1 mountPath "$variable" | grep -v mountPath | sed 's|.*name: ||' | sed '/^--$/d')" @@ -161,6 +161,39 @@ for variable in "${DEPLOYMENTS[@]}"; do done fi fi + if grep -q runAsUser "$variable" || echo "$variable" | grep -q "nextcloud-deployment.yaml"; then + if echo "$variable" | grep -q "nextcloud-deployment.yaml"; then + USER=33 + GROUP=33 + echo ' {{- if eq .Values.RPSS_ENABLED "yes" }} # AIO-config - do not change this comment!' > /tmp/pod.securityContext + else + USER="$(grep runAsUser "$variable" | grep -oP '[0-9]+')" + GROUP="$USER" + rm -f /tmp/pod.securityContext + fi + sed -i "/runAsUser:/d" "$variable" + sed -i "/capabilities:/d" "$variable" + if [ -n "$USER" ]; then + cat << EOL >> /tmp/pod.securityContext + securityContext: + # The items below only work in pod context + fsGroup: $USER + fsGroupChangePolicy: "OnRootMismatch" + # The items below work in both contexts + runAsUser: $USER + runAsGroup: $GROUP + runAsNonRoot: true + {{- if eq .Values.RPSS_ENABLED "yes" }} + seccompProfile: + type: RuntimeDefault + {{- end }} +EOL + if echo "$variable" | grep -q "nextcloud-deployment.yaml"; then + echo " {{- end }} # AIO-config - do not change this comment!" >> /tmp/pod.securityContext + fi + sed -i "/^ spec:$/r /tmp/pod.securityContext" "$variable" + fi + fi done # shellcheck disable=SC1083 find ./ -name '*.yaml' -exec sed -i 's|nextcloud-aio-namespace|"\{\{ .Values.NAMESPACE \}\}"|' \{} \; @@ -416,12 +449,48 @@ find ./ -name "*nextcloud-aio-elasticsearch-persistentvolumeclaim.yaml" -exec se # shellcheck disable=SC1083 find ./ -name "*nextcloud-aio-elasticsearch-persistentvolumeclaim.yaml" -exec sed -i "$ a {{- end }}" \{} \; -cat << EOL >> /tmp/security.conf +cat << EOL > /tmp/security.conf + # The items below only work in container context + allowPrivilegeEscalation: false + capabilities: + {{- if eq .Values.RPSS_ENABLED "yes" }} + drop: ["ALL"] + {{- else }} + drop: ["NET_RAW"] + {{- end }} + add: ["NET_BIND_SERVICE"] +EOL +# shellcheck disable=SC1083 +find ./ \( -not -name '*collabora-deployment.yaml*' -not -name '*imaginary-deployment.yaml*' -not -name '*onlyoffice-deployment.yaml*' -name "*deployment.yaml" \) -exec sed -i "/^ securityContext:$/r /tmp/security.conf" \{} \; + +cat << EOL > /tmp/security.conf + # The items below only work in container context + allowPrivilegeEscalation: false + capabilities: + {{- if eq .Values.RPSS_ENABLED "yes" }} + drop: ["ALL"] + {{- else }} + drop: ["NET_RAW"] + {{- end }} +EOL +# shellcheck disable=SC1083 +find ./ -name '*imaginary-deployment.yaml*' -exec sed -i "/^ securityContext:$/r /tmp/security.conf" \{} \; + +cat << EOL > /tmp/security.conf + {{- if eq .Values.RPSS_ENABLED "yes" }} # AIO-config - do not change this comment! + # The items below only work in container context allowPrivilegeEscalation: false - runAsNonRoot: true + capabilities: + {{- if eq .Values.RPSS_ENABLED "yes" }} + drop: ["ALL"] + {{- else }} + drop: ["NET_RAW"] + {{- end }} + add: ["NET_BIND_SERVICE"] + {{- end }} # AIO-config - do not change this comment! EOL # shellcheck disable=SC1083 -find ./ \( -not -name '*nextcloud-deployment.yaml*' -not -name '*onlyoffice-deployment.yaml*' -name "*deployment.yaml" \) -exec sed -i "/^.*securityContext:$/r /tmp/security.conf" \{} \; +find ./ -name '*nextcloud-deployment.yaml*' -exec sed -i "/nextcloud\/aio-nextcloud:.*/r /tmp/security.conf" \{} \; chmod 777 -R ./ diff --git a/php/containers.json b/php/containers.json index bf5ae3e931ad..17f60b2d7fdf 100644 --- a/php/containers.json +++ b/php/containers.json @@ -332,7 +332,6 @@ "documentation": "https://github.com/nextcloud/all-in-one/discussions/1358", "display_name": "Collabora", "image": "nextcloud/aio-collabora", - "user": "100", "init": true, "expose": [ "9980"