From cf6adc10753d0dd1906521a937ab33bf0e5e7394 Mon Sep 17 00:00:00 2001 From: "Simon L." Date: Fri, 15 Nov 2024 16:52:55 +0100 Subject: [PATCH 1/3] helm: refactor securityContext to support restricted pod security standard Signed-off-by: Simon L. --- manual-install/latest.yml | 1 - .../nextcloud-aio-apache-deployment.yaml | 38 +++--- .../nextcloud-aio-clamav-deployment.yaml | 46 ++++--- .../nextcloud-aio-collabora-deployment.yaml | 7 +- .../nextcloud-aio-database-deployment.yaml | 52 ++++---- ...xtcloud-aio-fulltextsearch-deployment.yaml | 8 +- .../nextcloud-aio-imaginary-deployment.yaml | 26 +++- .../nextcloud-aio-nextcloud-deployment.yaml | 46 ++++++- .../nextcloud-aio-notify-push-deployment.yaml | 35 +++--- .../nextcloud-aio-onlyoffice-deployment.yaml | 6 +- .../nextcloud-aio-redis-deployment.yaml | 35 +++--- .../nextcloud-aio-talk-deployment.yaml | 25 +++- ...xtcloud-aio-talk-recording-deployment.yaml | 25 +++- .../nextcloud-aio-whiteboard-deployment.yaml | 25 +++- nextcloud-aio-helm-chart/update-helm.sh | 113 ++++++++++++++---- php/containers.json | 1 - 16 files changed, 337 insertions(+), 152 deletions(-) diff --git a/manual-install/latest.yml b/manual-install/latest.yml index 90c197b8c9f..571c9a7e5d4 100644 --- a/manual-install/latest.yml +++ b/manual-install/latest.yml @@ -202,7 +202,6 @@ services: nextcloud-aio-collabora: image: nextcloud/aio-collabora:latest - user: "100" init: true expose: - "9980" diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-deployment.yaml index 4eda439feca..7cf78bf052f 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-deployment.yaml @@ -23,19 +23,18 @@ spec: labels: io.kompose.service: nextcloud-aio-apache spec: - initContainers: - - name: init-volumes - image: "alpine:3.20" - command: - - chmod - - "777" - - /nextcloud-aio-nextcloud - - /nextcloud-aio-apache - volumeMounts: - - name: nextcloud-aio-apache - mountPath: /nextcloud-aio-apache - - name: nextcloud-aio-nextcloud - mountPath: /nextcloud-aio-nextcloud + securityContext: + # The items below only work in pod context + fsGroup: 33 + fsGroupChangePolicy: "OnRootMismatch" + # The items below work in both contexts + runAsUser: 33 + runAsGroup: 33 + runAsNonRoot: true + {{- if eq .Values.RPSS_ENABLED "yes" }} + seccompProfile: + type: RuntimeDefault + {{- end }} containers: - env: - name: ADDITIONAL_TRUSTED_DOMAIN @@ -64,7 +63,7 @@ spec: value: "{{ .Values.TIMEZONE }}" - name: WHITEBOARD_HOST value: nextcloud-aio-whiteboard - image: "nextcloud/aio-apache:20241106_101604" + image: nextcloud/aio-apache:20241106_101604 name: nextcloud-aio-apache ports: - containerPort: {{ .Values.APACHE_PORT }} @@ -72,12 +71,15 @@ spec: - containerPort: {{ .Values.APACHE_PORT }} protocol: UDP securityContext: + # The items below only work in container context allowPrivilegeEscalation: false - runAsNonRoot: true capabilities: - drop: - - NET_RAW - runAsUser: 33 + {{- if eq .Values.RPSS_ENABLED "yes" }} + drop: ["ALL"] + {{- else }} + drop: ["NET_RAW"] + {{- end }} + add: ["NET_BIND_SERVICE"] volumeMounts: - mountPath: /var/www/html name: nextcloud-aio-nextcloud diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-deployment.yaml index 132e464c3f7..ea3b379f20e 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-deployment.yaml @@ -24,6 +24,18 @@ spec: labels: io.kompose.service: nextcloud-aio-clamav spec: + securityContext: + # The items below only work in pod context + fsGroup: 100 + fsGroupChangePolicy: "OnRootMismatch" + # The items below work in both contexts + runAsUser: 100 + runAsGroup: 100 + runAsNonRoot: true + {{- if eq .Values.RPSS_ENABLED "yes" }} + seccompProfile: + type: RuntimeDefault + {{- end }} initContainers: - name: init-subpath image: "alpine:3.20" @@ -31,20 +43,19 @@ spec: - mkdir - "-p" - /nextcloud-aio-clamav/data - - /nextcloud-aio-clamav - volumeMounts: - - name: nextcloud-aio-clamav - mountPath: /nextcloud-aio-clamav - - name: init-volumes - image: "alpine:3.20" - command: - - chown - - 100:100 - - "-R" - - /nextcloud-aio-clamav volumeMounts: - name: nextcloud-aio-clamav mountPath: /nextcloud-aio-clamav + securityContext: + # The items below only work in container context + allowPrivilegeEscalation: false + capabilities: + {{- if eq .Values.RPSS_ENABLED "yes" }} + drop: ["ALL"] + {{- else }} + drop: ["NET_RAW"] + {{- end }} + add: ["NET_BIND_SERVICE"] containers: - env: - name: CLAMD_STARTUP_TIMEOUT @@ -53,18 +64,21 @@ spec: value: "{{ .Values.NEXTCLOUD_UPLOAD_LIMIT }}" - name: TZ value: "{{ .Values.TIMEZONE }}" - image: "nextcloud/aio-clamav:20241106_101604" + image: nextcloud/aio-clamav:20241106_101604 name: nextcloud-aio-clamav ports: - containerPort: 3310 protocol: TCP securityContext: + # The items below only work in container context allowPrivilegeEscalation: false - runAsNonRoot: true capabilities: - drop: - - NET_RAW - runAsUser: 100 + {{- if eq .Values.RPSS_ENABLED "yes" }} + drop: ["ALL"] + {{- else }} + drop: ["NET_RAW"] + {{- end }} + add: ["NET_BIND_SERVICE"] volumeMounts: - mountPath: /var/lib/clamav subPath: data diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-deployment.yaml index e43aa08ad9b..c74355cd983 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-deployment.yaml @@ -36,19 +36,14 @@ spec: value: --o:ssl.enable=false --o:ssl.termination=true --o:mount_jail_tree=false --o:logging.level=warning --o:home_mode.enable=true {{ .Values.COLLABORA_SECCOMP_POLICY }} --o:remote_font_config.url=https://{{ .Values.NC_DOMAIN }}/apps/richdocuments/settings/fonts.json - name: server_name value: "{{ .Values.NC_DOMAIN }}" - image: "nextcloud/aio-collabora:20241106_101604" + image: nextcloud/aio-collabora:20241106_101604 name: nextcloud-aio-collabora ports: - containerPort: 9980 protocol: TCP securityContext: - allowPrivilegeEscalation: false - runAsNonRoot: true capabilities: add: - MKNOD - SYS_ADMIN - drop: - - NET_RAW - runAsUser: 100 {{- end }} diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-database-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-database-deployment.yaml index 710a47185c7..fc547697500 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-database-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-database-deployment.yaml @@ -23,6 +23,18 @@ spec: labels: io.kompose.service: nextcloud-aio-database spec: + securityContext: + # The items below only work in pod context + fsGroup: 999 + fsGroupChangePolicy: "OnRootMismatch" + # The items below work in both contexts + runAsUser: 999 + runAsGroup: 999 + runAsNonRoot: true + {{- if eq .Values.RPSS_ENABLED "yes" }} + seccompProfile: + type: RuntimeDefault + {{- end }} initContainers: - name: init-subpath image: "alpine:3.20" @@ -30,26 +42,19 @@ spec: - mkdir - "-p" - /nextcloud-aio-database/data - - /nextcloud-aio-database - - /nextcloud-aio-database-dump volumeMounts: - - name: nextcloud-aio-database-dump - mountPath: /nextcloud-aio-database-dump - - name: nextcloud-aio-database - mountPath: /nextcloud-aio-database - - name: init-volumes - image: "alpine:3.20" - command: - - chown - - 999:999 - - "-R" - - /nextcloud-aio-database - - /nextcloud-aio-database-dump - volumeMounts: - - name: nextcloud-aio-database-dump - mountPath: /nextcloud-aio-database-dump - name: nextcloud-aio-database mountPath: /nextcloud-aio-database + securityContext: + # The items below only work in container context + allowPrivilegeEscalation: false + capabilities: + {{- if eq .Values.RPSS_ENABLED "yes" }} + drop: ["ALL"] + {{- else }} + drop: ["NET_RAW"] + {{- end }} + add: ["NET_BIND_SERVICE"] containers: - env: - name: PGTZ @@ -62,18 +67,21 @@ spec: value: nextcloud - name: TZ value: "{{ .Values.TIMEZONE }}" - image: "nextcloud/aio-postgresql:20241106_101604" + image: nextcloud/aio-postgresql:20241106_101604 name: nextcloud-aio-database ports: - containerPort: 5432 protocol: TCP securityContext: + # The items below only work in container context allowPrivilegeEscalation: false - runAsNonRoot: true capabilities: - drop: - - NET_RAW - runAsUser: 999 + {{- if eq .Values.RPSS_ENABLED "yes" }} + drop: ["ALL"] + {{- else }} + drop: ["NET_RAW"] + {{- end }} + add: ["NET_BIND_SERVICE"] volumeMounts: - mountPath: /var/lib/postgresql/data subPath: data diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-fulltextsearch-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-fulltextsearch-deployment.yaml index d87d1c89bf3..fdd5ca08d95 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-fulltextsearch-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-fulltextsearch-deployment.yaml @@ -56,17 +56,11 @@ spec: value: basic - name: xpack.security.enabled value: "false" - image: "nextcloud/aio-fulltextsearch:20241106_101604" + image: nextcloud/aio-fulltextsearch:20241106_101604 name: nextcloud-aio-fulltextsearch ports: - containerPort: 9200 protocol: TCP - securityContext: - allowPrivilegeEscalation: false - runAsNonRoot: true - capabilities: - drop: - - NET_RAW volumeMounts: - mountPath: /usr/share/elasticsearch/data name: nextcloud-aio-elasticsearch diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-imaginary-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-imaginary-deployment.yaml index 6535b6a9c3e..a37a9d00644 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-imaginary-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-imaginary-deployment.yaml @@ -22,24 +22,38 @@ spec: labels: io.kompose.service: nextcloud-aio-imaginary spec: + securityContext: + # The items below only work in pod context + fsGroup: 65534 + fsGroupChangePolicy: "OnRootMismatch" + # The items below work in both contexts + runAsUser: 65534 + runAsGroup: 65534 + runAsNonRoot: true + {{- if eq .Values.RPSS_ENABLED "yes" }} + seccompProfile: + type: RuntimeDefault + {{- end }} containers: - env: - name: IMAGINARY_SECRET value: "{{ .Values.IMAGINARY_SECRET }}" - name: TZ value: "{{ .Values.TIMEZONE }}" - image: "nextcloud/aio-imaginary:20241106_101604" + image: nextcloud/aio-imaginary:20241106_101604 name: nextcloud-aio-imaginary ports: - containerPort: 9000 protocol: TCP securityContext: + # The items below only work in container context allowPrivilegeEscalation: false - runAsNonRoot: true capabilities: + {{- if eq .Values.RPSS_ENABLED "yes" }} + drop: ["ALL"] + {{- else }} + drop: ["NET_RAW"] + {{- end }} add: - - SYS_NICE - drop: - - NET_RAW - runAsUser: 65534 + - NET_BIND_SERVICE {{- end }} diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-deployment.yaml index 6b3f4a17835..6dcf9520ddc 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-deployment.yaml @@ -23,6 +23,20 @@ spec: labels: io.kompose.service: nextcloud-aio-nextcloud spec: + {{- if eq .Values.RPSS_ENABLED "yes" }} # AIO-config - do not change this comment! + securityContext: + # The items below only work in pod context + fsGroup: 33 + fsGroupChangePolicy: "OnRootMismatch" + # The items below work in both contexts + runAsUser: 33 + runAsGroup: 33 + runAsNonRoot: true + {{- if eq .Values.RPSS_ENABLED "yes" }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} # AIO-config - do not change this comment! initContainers: - name: "delete-lost-found" image: "alpine:3.20" @@ -35,6 +49,19 @@ spec: mountPath: /nextcloud-aio-nextcloud-trusted-cacerts - name: nextcloud-aio-nextcloud mountPath: /nextcloud-aio-nextcloud + {{- if eq .Values.RPSS_ENABLED "yes" }} # AIO-config - do not change this comment! + securityContext: + # The items below only work in container context + allowPrivilegeEscalation: false + capabilities: + {{- if eq .Values.RPSS_ENABLED "yes" }} + drop: ["ALL"] + {{- else }} + drop: ["NET_RAW"] + {{- end }} + add: ["NET_BIND_SERVICE"] + {{- end }} # AIO-config - do not change this comment! +# AIO settings start # Do not remove or change this line! - name: init-volumes image: "alpine:3.20" command: @@ -47,6 +74,7 @@ spec: mountPath: /nextcloud-aio-nextcloud-trusted-cacerts - name: nextcloud-aio-nextcloud mountPath: /nextcloud-aio-nextcloud +# AIO settings end # Do not remove or change this line! containers: - env: - name: SMTP_HOST @@ -173,17 +201,25 @@ spec: value: "{{ .Values.WHITEBOARD_ENABLED }}" - name: WHITEBOARD_SECRET value: "{{ .Values.WHITEBOARD_SECRET }}" - image: "nextcloud/aio-nextcloud:20241106_101604" + image: nextcloud/aio-nextcloud:20241106_101604 + {{- if eq .Values.RPSS_ENABLED "yes" }} # AIO-config - do not change this comment! + securityContext: + # The items below only work in container context + allowPrivilegeEscalation: false + capabilities: + {{- if eq .Values.RPSS_ENABLED "yes" }} + drop: ["ALL"] + {{- else }} + drop: ["NET_RAW"] + {{- end }} + add: ["NET_BIND_SERVICE"] + {{- end }} # AIO-config - do not change this comment! name: nextcloud-aio-nextcloud ports: - containerPort: 9000 protocol: TCP - containerPort: 9001 protocol: TCP - securityContext: - capabilities: - drop: - - NET_RAW volumeMounts: - mountPath: /var/www/html name: nextcloud-aio-nextcloud diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-notify-push-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-notify-push-deployment.yaml index 71ff99872cd..086ebd5b858 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-notify-push-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-notify-push-deployment.yaml @@ -23,16 +23,18 @@ spec: labels: io.kompose.service: nextcloud-aio-notify-push spec: - initContainers: - - name: init-volumes - image: "alpine:3.20" - command: - - chmod - - "777" - - /nextcloud-aio-nextcloud - volumeMounts: - - name: nextcloud-aio-nextcloud - mountPath: /nextcloud-aio-nextcloud + securityContext: + # The items below only work in pod context + fsGroup: 33 + fsGroupChangePolicy: "OnRootMismatch" + # The items below work in both contexts + runAsUser: 33 + runAsGroup: 33 + runAsNonRoot: true + {{- if eq .Values.RPSS_ENABLED "yes" }} + seccompProfile: + type: RuntimeDefault + {{- end }} containers: - env: - name: NC_DOMAIN @@ -53,18 +55,21 @@ spec: value: nextcloud-aio-redis - name: REDIS_HOST_PASSWORD value: "{{ .Values.REDIS_PASSWORD }}" - image: "nextcloud/aio-notify-push:20241106_101604" + image: nextcloud/aio-notify-push:20241106_101604 name: nextcloud-aio-notify-push ports: - containerPort: 7867 protocol: TCP securityContext: + # The items below only work in container context allowPrivilegeEscalation: false - runAsNonRoot: true capabilities: - drop: - - NET_RAW - runAsUser: 33 + {{- if eq .Values.RPSS_ENABLED "yes" }} + drop: ["ALL"] + {{- else }} + drop: ["NET_RAW"] + {{- end }} + add: ["NET_BIND_SERVICE"] volumeMounts: - mountPath: /nextcloud name: nextcloud-aio-nextcloud diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-onlyoffice-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-onlyoffice-deployment.yaml index 9c4b48bbef8..9a69e660843 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-onlyoffice-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-onlyoffice-deployment.yaml @@ -44,15 +44,11 @@ spec: value: "{{ .Values.ONLYOFFICE_SECRET }}" - name: TZ value: "{{ .Values.TIMEZONE }}" - image: "nextcloud/aio-onlyoffice:20241106_101604" + image: nextcloud/aio-onlyoffice:20241106_101604 name: nextcloud-aio-onlyoffice ports: - containerPort: 80 protocol: TCP - securityContext: - capabilities: - drop: - - NET_RAW volumeMounts: - mountPath: /var/lib/onlyoffice name: nextcloud-aio-onlyoffice diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-redis-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-redis-deployment.yaml index efcd16562e6..3acd1e05d52 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-redis-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-redis-deployment.yaml @@ -23,34 +23,39 @@ spec: labels: io.kompose.service: nextcloud-aio-redis spec: - initContainers: - - name: init-volumes - image: "alpine:3.20" - command: - - chmod - - "777" - - /nextcloud-aio-redis - volumeMounts: - - name: nextcloud-aio-redis - mountPath: /nextcloud-aio-redis + securityContext: + # The items below only work in pod context + fsGroup: 999 + fsGroupChangePolicy: "OnRootMismatch" + # The items below work in both contexts + runAsUser: 999 + runAsGroup: 999 + runAsNonRoot: true + {{- if eq .Values.RPSS_ENABLED "yes" }} + seccompProfile: + type: RuntimeDefault + {{- end }} containers: - env: - name: REDIS_HOST_PASSWORD value: "{{ .Values.REDIS_PASSWORD }}" - name: TZ value: "{{ .Values.TIMEZONE }}" - image: "nextcloud/aio-redis:20241106_101604" + image: nextcloud/aio-redis:20241106_101604 name: nextcloud-aio-redis ports: - containerPort: 6379 protocol: TCP securityContext: + # The items below only work in container context allowPrivilegeEscalation: false - runAsNonRoot: true capabilities: - drop: - - NET_RAW - runAsUser: 999 + {{- if eq .Values.RPSS_ENABLED "yes" }} + drop: ["ALL"] + {{- else }} + drop: ["NET_RAW"] + {{- end }} + add: ["NET_BIND_SERVICE"] volumeMounts: - mountPath: /data name: nextcloud-aio-redis diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-deployment.yaml index db2ab85f7d7..c09b67587e8 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-deployment.yaml @@ -22,6 +22,18 @@ spec: labels: io.kompose.service: nextcloud-aio-talk spec: + securityContext: + # The items below only work in pod context + fsGroup: 1000 + fsGroupChangePolicy: "OnRootMismatch" + # The items below work in both contexts + runAsUser: 1000 + runAsGroup: 1000 + runAsNonRoot: true + {{- if eq .Values.RPSS_ENABLED "yes" }} + seccompProfile: + type: RuntimeDefault + {{- end }} containers: - env: - name: TALK_MAX_STREAM_BITRATE @@ -42,7 +54,7 @@ spec: value: "{{ .Values.TURN_SECRET }}" - name: TZ value: "{{ .Values.TIMEZONE }}" - image: "nextcloud/aio-talk:20241106_101604" + image: nextcloud/aio-talk:20241106_101604 name: nextcloud-aio-talk ports: - containerPort: {{ .Values.TALK_PORT }} @@ -52,10 +64,13 @@ spec: - containerPort: 8081 protocol: TCP securityContext: + # The items below only work in container context allowPrivilegeEscalation: false - runAsNonRoot: true capabilities: - drop: - - NET_RAW - runAsUser: 1000 + {{- if eq .Values.RPSS_ENABLED "yes" }} + drop: ["ALL"] + {{- else }} + drop: ["NET_RAW"] + {{- end }} + add: ["NET_BIND_SERVICE"] {{- end }} diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-recording-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-recording-deployment.yaml index c5dccf0e7e8..62289b01f8f 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-recording-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-recording-deployment.yaml @@ -22,6 +22,18 @@ spec: labels: io.kompose.service: nextcloud-aio-talk-recording spec: + securityContext: + # The items below only work in pod context + fsGroup: 122 + fsGroupChangePolicy: "OnRootMismatch" + # The items below work in both contexts + runAsUser: 122 + runAsGroup: 122 + runAsNonRoot: true + {{- if eq .Values.RPSS_ENABLED "yes" }} + seccompProfile: + type: RuntimeDefault + {{- end }} containers: - env: - name: INTERNAL_SECRET @@ -32,16 +44,19 @@ spec: value: "{{ .Values.RECORDING_SECRET }}" - name: TZ value: "{{ .Values.TIMEZONE }}" - image: "nextcloud/aio-talk-recording:20241106_101604" + image: nextcloud/aio-talk-recording:20241106_101604 name: nextcloud-aio-talk-recording ports: - containerPort: 1234 protocol: TCP securityContext: + # The items below only work in container context allowPrivilegeEscalation: false - runAsNonRoot: true capabilities: - drop: - - NET_RAW - runAsUser: 122 + {{- if eq .Values.RPSS_ENABLED "yes" }} + drop: ["ALL"] + {{- else }} + drop: ["NET_RAW"] + {{- end }} + add: ["NET_BIND_SERVICE"] {{- end }} diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-whiteboard-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-whiteboard-deployment.yaml index c374d64073d..1b9da32cbc4 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-whiteboard-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-whiteboard-deployment.yaml @@ -22,6 +22,18 @@ spec: labels: io.kompose.service: nextcloud-aio-whiteboard spec: + securityContext: + # The items below only work in pod context + fsGroup: 65534 + fsGroupChangePolicy: "OnRootMismatch" + # The items below work in both contexts + runAsUser: 65534 + runAsGroup: 65534 + runAsNonRoot: true + {{- if eq .Values.RPSS_ENABLED "yes" }} + seccompProfile: + type: RuntimeDefault + {{- end }} containers: - env: - name: JWT_SECRET_KEY @@ -36,16 +48,19 @@ spec: value: redis - name: TZ value: "{{ .Values.TIMEZONE }}" - image: "nextcloud/aio-whiteboard:20241106_101604" + image: nextcloud/aio-whiteboard:20241106_101604 name: nextcloud-aio-whiteboard ports: - containerPort: 3002 protocol: TCP securityContext: + # The items below only work in container context allowPrivilegeEscalation: false - runAsNonRoot: true capabilities: - drop: - - NET_RAW - runAsUser: 65534 + {{- if eq .Values.RPSS_ENABLED "yes" }} + drop: ["ALL"] + {{- else }} + drop: ["NET_RAW"] + {{- end }} + add: ["NET_BIND_SERVICE"] {{- end }} diff --git a/nextcloud-aio-helm-chart/update-helm.sh b/nextcloud-aio-helm-chart/update-helm.sh index 4ceeb36bc98..07ed989c90b 100755 --- a/nextcloud-aio-helm-chart/update-helm.sh +++ b/nextcloud-aio-helm-chart/update-helm.sh @@ -50,6 +50,11 @@ yq -i 'del(.services.[].profiles)' latest.yml # Delete read_only and tmpfs setting while https://github.com/kubernetes/kubernetes/issues/48912 is not fixed yq -i 'del(.services.[].read_only)' latest.yml yq -i 'del(.services.[].tmpfs)' latest.yml +# Remove cap_drop in order to add it later again easier +yq -i 'del(.services.[].cap_drop)' latest.yml +# Remove SYS_NICE for imaginary as it is not supported with RPSS +sed -i "s|- SYS_NICE$|- NET_BIND_SERVICE|" latest.yml + cat latest.yml kompose convert -c -f latest.yml --namespace nextcloud-aio-namespace cd latest @@ -76,14 +81,10 @@ cat << EOL > /tmp/initcontainers.database - mkdir - "-p" - /nextcloud-aio-database/data - volumeMountsInitContainer: - - name: init-volumes - image: "alpine:3.20" - command: - - chown - - 999:999 - - "-R" - volumeMountsInitContainer: + volumeMounts: + - name: nextcloud-aio-database + mountPath: /nextcloud-aio-database + securityContext: EOL cat << EOL > /tmp/initcontainers.clamav initContainers: @@ -93,14 +94,10 @@ cat << EOL > /tmp/initcontainers.clamav - mkdir - "-p" - /nextcloud-aio-clamav/data - volumeMountsInitContainer: - - name: init-volumes - image: "alpine:3.20" - command: - - chown - - 100:100 - - "-R" - volumeMountsInitContainer: + volumeMounts: + - name: nextcloud-aio-clamav + mountPath: /nextcloud-aio-clamav + securityContext: EOL cat << EOL > /tmp/initcontainers.nextcloud initContainers: @@ -111,13 +108,19 @@ cat << EOL > /tmp/initcontainers.nextcloud - "-rf" - "/nextcloud-aio-nextcloud/lost+found" volumeMountsInitRmLostFound: + {{- if eq .Values.RPSS_ENABLED "yes" }} # AIO-config - do not change this comment! + securityContext: + {{- end }} # AIO-config - do not change this comment! +# AIO settings start # Do not remove or change this line! - name: init-volumes image: "alpine:3.20" command: - chmod - "777" volumeMountsInitContainer: +# AIO settings end # Do not remove or change this line! EOL + # shellcheck disable=SC1083 DEPLOYMENTS="$(find ./ -name '*deployment.yaml')" mapfile -t DEPLOYMENTS <<< "$DEPLOYMENTS" @@ -129,7 +132,7 @@ for variable in "${DEPLOYMENTS[@]}"; do sed -i "/^ spec:/r /tmp/initcontainers.clamav" "$variable" elif echo "$variable" | grep -q "nextcloud-deployment.yaml"; then sed -i "/^ spec:/r /tmp/initcontainers.nextcloud" "$variable" - else + elif echo "$variable" | grep -q "fulltextsearch" || echo "$variable" | grep -q "onlyoffice" || echo "$variable" | grep -q "collabora"; then sed -i "/^ spec:/r /tmp/initcontainers" "$variable" fi volumeNames="$(grep -A1 mountPath "$variable" | grep -v mountPath | sed 's|.*name: ||' | sed '/^--$/d')" @@ -161,6 +164,39 @@ for variable in "${DEPLOYMENTS[@]}"; do done fi fi + if grep -q runAsUser "$variable" || echo "$variable" | grep -q "nextcloud-deployment.yaml"; then + if echo "$variable" | grep -q "nextcloud-deployment.yaml"; then + USER=33 + GROUP=33 + echo ' {{- if eq .Values.RPSS_ENABLED "yes" }} # AIO-config - do not change this comment!' > /tmp/pod.securityContext + else + USER="$(grep runAsUser "$variable" | grep -oP '[0-9]+')" + GROUP="$USER" + rm -f /tmp/pod.securityContext + fi + sed -i "/runAsUser:/d" "$variable" + sed -i "/capabilities:/d" "$variable" + if [ -n "$USER" ]; then + cat << EOL >> /tmp/pod.securityContext + securityContext: + # The items below only work in pod context + fsGroup: $USER + fsGroupChangePolicy: "OnRootMismatch" + # The items below work in both contexts + runAsUser: $USER + runAsGroup: $GROUP + runAsNonRoot: true + {{- if eq .Values.RPSS_ENABLED "yes" }} + seccompProfile: + type: RuntimeDefault + {{- end }} +EOL + if echo "$variable" | grep -q "nextcloud-deployment.yaml"; then + echo " {{- end }} # AIO-config - do not change this comment!" >> /tmp/pod.securityContext + fi + sed -i "/^ spec:$/r /tmp/pod.securityContext" "$variable" + fi + fi done # shellcheck disable=SC1083 find ./ -name '*.yaml' -exec sed -i 's|nextcloud-aio-namespace|"\{\{ .Values.NAMESPACE \}\}"|' \{} \; @@ -416,12 +452,49 @@ find ./ -name "*nextcloud-aio-elasticsearch-persistentvolumeclaim.yaml" -exec se # shellcheck disable=SC1083 find ./ -name "*nextcloud-aio-elasticsearch-persistentvolumeclaim.yaml" -exec sed -i "$ a {{- end }}" \{} \; -cat << EOL >> /tmp/security.conf +cat << EOL > /tmp/security.conf + # The items below only work in container context + allowPrivilegeEscalation: false + capabilities: + {{- if eq .Values.RPSS_ENABLED "yes" }} + drop: ["ALL"] + {{- else }} + drop: ["NET_RAW"] + {{- end }} + add: ["NET_BIND_SERVICE"] +EOL +# shellcheck disable=SC1083 +find ./ \( -not -name '*collabora-deployment.yaml*' -not -name '*imaginary-deployment.yaml*' -not -name '*onlyoffice-deployment.yaml*' -name "*deployment.yaml" \) -exec sed -i "/^ securityContext:$/r /tmp/security.conf" \{} \; + +cat << EOL > /tmp/security.conf + # The items below only work in container context + allowPrivilegeEscalation: false + capabilities: + {{- if eq .Values.RPSS_ENABLED "yes" }} + drop: ["ALL"] + {{- else }} + drop: ["NET_RAW"] + {{- end }} +EOL +# shellcheck disable=SC1083 +find ./ -name '*imaginary-deployment.yaml*' -exec sed -i "/^ securityContext:$/r /tmp/security.conf" \{} \; + +cat << EOL > /tmp/security.conf + {{- if eq .Values.RPSS_ENABLED "yes" }} # AIO-config - do not change this comment! + securityContext: + # The items below only work in container context allowPrivilegeEscalation: false - runAsNonRoot: true + capabilities: + {{- if eq .Values.RPSS_ENABLED "yes" }} + drop: ["ALL"] + {{- else }} + drop: ["NET_RAW"] + {{- end }} + add: ["NET_BIND_SERVICE"] + {{- end }} # AIO-config - do not change this comment! EOL # shellcheck disable=SC1083 -find ./ \( -not -name '*nextcloud-deployment.yaml*' -not -name '*onlyoffice-deployment.yaml*' -name "*deployment.yaml" \) -exec sed -i "/^.*securityContext:$/r /tmp/security.conf" \{} \; +find ./ -name '*nextcloud-deployment.yaml*' -exec sed -i "/nextcloud\/aio-nextcloud:.*/r /tmp/security.conf" \{} \; chmod 777 -R ./ diff --git a/php/containers.json b/php/containers.json index bf5ae3e931a..17f60b2d7fd 100644 --- a/php/containers.json +++ b/php/containers.json @@ -332,7 +332,6 @@ "documentation": "https://github.com/nextcloud/all-in-one/discussions/1358", "display_name": "Collabora", "image": "nextcloud/aio-collabora", - "user": "100", "init": true, "expose": [ "9980" From 069b414d81e92c8f6f488447875c6915f1db8a2c Mon Sep 17 00:00:00 2001 From: "Simon L." Date: Thu, 21 Nov 2024 22:58:47 +0100 Subject: [PATCH 2/3] adjust SYS_ADMIN to CAP_SYS_ADMIN Signed-off-by: Simon L. --- .../templates/nextcloud-aio-collabora-deployment.yaml | 2 +- nextcloud-aio-helm-chart/update-helm.sh | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-deployment.yaml index c74355cd983..749248d45e1 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-deployment.yaml @@ -45,5 +45,5 @@ spec: capabilities: add: - MKNOD - - SYS_ADMIN + - CAP_SYS_ADMIN {{- end }} diff --git a/nextcloud-aio-helm-chart/update-helm.sh b/nextcloud-aio-helm-chart/update-helm.sh index 07ed989c90b..1b8f61b4624 100755 --- a/nextcloud-aio-helm-chart/update-helm.sh +++ b/nextcloud-aio-helm-chart/update-helm.sh @@ -54,6 +54,8 @@ yq -i 'del(.services.[].tmpfs)' latest.yml yq -i 'del(.services.[].cap_drop)' latest.yml # Remove SYS_NICE for imaginary as it is not supported with RPSS sed -i "s|- SYS_NICE$|- NET_BIND_SERVICE|" latest.yml +# cap SYS_ADMIN is called CAP_SYS_ADMIN in k8s +sed -i "s|- SYS_ADMIN$|- CAP_SYS_ADMIN|" latest.yml cat latest.yml kompose convert -c -f latest.yml --namespace nextcloud-aio-namespace From e800ed48f9dd9409413589d08c77346f37c286b7 Mon Sep 17 00:00:00 2001 From: "Simon L." Date: Mon, 25 Nov 2024 09:39:31 +0100 Subject: [PATCH 3/3] remove delete-lost-found initcontainer Signed-off-by: Simon L. --- .../nextcloud-aio-nextcloud-deployment.yaml | 25 +------------------ nextcloud-aio-helm-chart/update-helm.sh | 14 +---------- 2 files changed, 2 insertions(+), 37 deletions(-) diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-deployment.yaml index 6dcf9520ddc..5440676bed5 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-deployment.yaml @@ -37,31 +37,8 @@ spec: type: RuntimeDefault {{- end }} {{- end }} # AIO-config - do not change this comment! - initContainers: - - name: "delete-lost-found" - image: "alpine:3.20" - command: - - rm - - "-rf" - - "/nextcloud-aio-nextcloud/lost+found" - volumeMounts: - - name: nextcloud-aio-nextcloud-trusted-cacerts - mountPath: /nextcloud-aio-nextcloud-trusted-cacerts - - name: nextcloud-aio-nextcloud - mountPath: /nextcloud-aio-nextcloud - {{- if eq .Values.RPSS_ENABLED "yes" }} # AIO-config - do not change this comment! - securityContext: - # The items below only work in container context - allowPrivilegeEscalation: false - capabilities: - {{- if eq .Values.RPSS_ENABLED "yes" }} - drop: ["ALL"] - {{- else }} - drop: ["NET_RAW"] - {{- end }} - add: ["NET_BIND_SERVICE"] - {{- end }} # AIO-config - do not change this comment! # AIO settings start # Do not remove or change this line! + initContainers: - name: init-volumes image: "alpine:3.20" command: diff --git a/nextcloud-aio-helm-chart/update-helm.sh b/nextcloud-aio-helm-chart/update-helm.sh index 1b8f61b4624..00c004a5532 100755 --- a/nextcloud-aio-helm-chart/update-helm.sh +++ b/nextcloud-aio-helm-chart/update-helm.sh @@ -102,18 +102,8 @@ cat << EOL > /tmp/initcontainers.clamav securityContext: EOL cat << EOL > /tmp/initcontainers.nextcloud - initContainers: - - name: "delete-lost-found" - image: "alpine:3.20" - command: - - rm - - "-rf" - - "/nextcloud-aio-nextcloud/lost+found" - volumeMountsInitRmLostFound: - {{- if eq .Values.RPSS_ENABLED "yes" }} # AIO-config - do not change this comment! - securityContext: - {{- end }} # AIO-config - do not change this comment! # AIO settings start # Do not remove or change this line! + initContainers: - name: init-volumes image: "alpine:3.20" command: @@ -144,7 +134,6 @@ for variable in "${DEPLOYMENTS[@]}"; do if [ "$volumeName" != "nextcloud-aio-nextcloud-data" ]; then sed -i "/^.*volumeMountsInitContainer:/i\ \ \ \ \ \ \ \ \ \ \ \ - /$volumeName" "$variable" sed -i "/volumeMountsInitContainer:/a\ \ \ \ \ \ \ \ \ \ \ \ - name: $volumeName\n\ \ \ \ \ \ \ \ \ \ \ \ \ \ mountPath: /$volumeName" "$variable" - sed -i "/volumeMountsInitRmLostFound:/a\ \ \ \ \ \ \ \ \ \ \ \ - name: $volumeName\n\ \ \ \ \ \ \ \ \ \ \ \ \ \ mountPath: /$volumeName" "$variable" # Workaround for the database volume if [ "$volumeName" = nextcloud-aio-database ]; then sed -i "/mountPath: \/var\/lib\/postgresql\/data/a\ \ \ \ \ \ \ \ \ \ \ \ \ \ subPath: data" "$variable" @@ -155,7 +144,6 @@ for variable in "${DEPLOYMENTS[@]}"; do fi done sed -i "s|volumeMountsInitContainer:|volumeMounts:|" "$variable" - sed -i "s|volumeMountsInitRmLostFound:|volumeMounts:|" "$variable" if grep -q claimName "$variable"; then claimNames="$(grep claimName "$variable")" mapfile -t claimNames <<< "$claimNames"