From ca4386bef9297758f86e27eb47b61867c9f0f2e1 Mon Sep 17 00:00:00 2001 From: "Simon L." Date: Mon, 6 Jan 2025 14:00:35 +0100 Subject: [PATCH] helm: remove NET_BIND_SERVICE if not needed Signed-off-by: Simon L. --- .../templates/nextcloud-aio-clamav-deployment.yaml | 2 -- .../templates/nextcloud-aio-database-deployment.yaml | 2 -- .../templates/nextcloud-aio-imaginary-deployment.yaml | 2 -- .../templates/nextcloud-aio-nextcloud-deployment.yaml | 1 - .../nextcloud-aio-notify-push-deployment.yaml | 1 - .../templates/nextcloud-aio-redis-deployment.yaml | 1 - .../templates/nextcloud-aio-talk-deployment.yaml | 1 - .../nextcloud-aio-talk-recording-deployment.yaml | 1 - .../templates/nextcloud-aio-whiteboard-deployment.yaml | 1 - nextcloud-aio-helm-chart/update-helm.sh | 10 +++++----- 10 files changed, 5 insertions(+), 17 deletions(-) diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-deployment.yaml index 33d6c6df8a0..0f42d2efbc0 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-deployment.yaml @@ -53,7 +53,6 @@ spec: {{- else }} drop: ["NET_RAW"] {{- end }} - add: ["NET_BIND_SERVICE"] containers: - env: - name: CLAMD_STARTUP_TIMEOUT @@ -92,7 +91,6 @@ spec: {{- else }} drop: ["NET_RAW"] {{- end }} - add: ["NET_BIND_SERVICE"] volumeMounts: - mountPath: /var/lib/clamav subPath: data diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-database-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-database-deployment.yaml index cdb6cb3c9f4..eb3e94d34d8 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-database-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-database-deployment.yaml @@ -52,7 +52,6 @@ spec: {{- else }} drop: ["NET_RAW"] {{- end }} - add: ["NET_BIND_SERVICE"] containers: - env: - name: PGTZ @@ -93,7 +92,6 @@ spec: {{- else }} drop: ["NET_RAW"] {{- end }} - add: ["NET_BIND_SERVICE"] volumeMounts: - mountPath: /var/lib/postgresql/data subPath: data diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-imaginary-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-imaginary-deployment.yaml index 6b8af9ce922..2a0f4476c4a 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-imaginary-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-imaginary-deployment.yaml @@ -66,6 +66,4 @@ spec: {{- else }} drop: ["NET_RAW"] {{- end }} - add: - - NET_BIND_SERVICE {{- end }} diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-deployment.yaml index 2ee12d00c4f..87376bd938b 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-deployment.yaml @@ -191,7 +191,6 @@ spec: {{- else }} drop: ["NET_RAW"] {{- end }} - add: ["NET_BIND_SERVICE"] {{- end }} # AIO-config - do not change this comment! readinessProbe: exec: diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-notify-push-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-notify-push-deployment.yaml index e8ad0dc8f97..40cd1159769 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-notify-push-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-notify-push-deployment.yaml @@ -81,7 +81,6 @@ spec: {{- else }} drop: ["NET_RAW"] {{- end }} - add: ["NET_BIND_SERVICE"] volumeMounts: - mountPath: /nextcloud name: nextcloud-aio-nextcloud diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-redis-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-redis-deployment.yaml index 005419b0374..da3cd58d9a7 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-redis-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-redis-deployment.yaml @@ -67,7 +67,6 @@ spec: {{- else }} drop: ["NET_RAW"] {{- end }} - add: ["NET_BIND_SERVICE"] volumeMounts: - mountPath: /data name: nextcloud-aio-redis diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-deployment.yaml index 647f7964079..5d814cfc2fd 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-deployment.yaml @@ -84,5 +84,4 @@ spec: {{- else }} drop: ["NET_RAW"] {{- end }} - add: ["NET_BIND_SERVICE"] {{- end }} diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-recording-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-recording-deployment.yaml index 7d1b278708f..df51d5ea9f3 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-recording-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-recording-deployment.yaml @@ -72,7 +72,6 @@ spec: {{- else }} drop: ["NET_RAW"] {{- end }} - add: ["NET_BIND_SERVICE"] volumeMounts: - mountPath: /tmp name: nextcloud-aio-talk-recording diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-whiteboard-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-whiteboard-deployment.yaml index 0c5cf295416..b09936662ac 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-whiteboard-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-whiteboard-deployment.yaml @@ -74,5 +74,4 @@ spec: {{- else }} drop: ["NET_RAW"] {{- end }} - add: ["NET_BIND_SERVICE"] {{- end }} diff --git a/nextcloud-aio-helm-chart/update-helm.sh b/nextcloud-aio-helm-chart/update-helm.sh index 7e1364b2ebc..3a8fff29edc 100755 --- a/nextcloud-aio-helm-chart/update-helm.sh +++ b/nextcloud-aio-helm-chart/update-helm.sh @@ -55,7 +55,7 @@ yq -i 'del(.services.[].tmpfs)' latest.yml # Remove cap_drop in order to add it later again easier yq -i 'del(.services.[].cap_drop)' latest.yml # Remove SYS_NICE for imaginary as it is not supported with RPSS -sed -i "s|- SYS_NICE$|- NET_BIND_SERVICE|" latest.yml +yq -i 'del(.services."nextcloud-aio-imaginary".cap_add)' latest.yml # cap SYS_ADMIN is called CAP_SYS_ADMIN in k8s sed -i "s|- SYS_ADMIN$|- CAP_SYS_ADMIN|" latest.yml @@ -461,10 +461,9 @@ cat << EOL > /tmp/security.conf {{- else }} drop: ["NET_RAW"] {{- end }} - add: ["NET_BIND_SERVICE"] EOL # shellcheck disable=SC1083 -find ./ \( -not -name '*collabora-deployment.yaml*' -not -name '*imaginary-deployment.yaml*' -not -name '*onlyoffice-deployment.yaml*' -name "*deployment.yaml" \) -exec sed -i "/^ securityContext:$/r /tmp/security.conf" \{} \; +find ./ \( -not -name '*collabora-deployment.yaml*' -not -name '*apache-deployment.yaml*' -not -name '*onlyoffice-deployment.yaml*' -name "*deployment.yaml" \) -exec sed -i "/^ securityContext:$/r /tmp/security.conf" \{} \; cat << EOL > /tmp/security.conf # The items below only work in container context @@ -475,9 +474,11 @@ cat << EOL > /tmp/security.conf {{- else }} drop: ["NET_RAW"] {{- end }} + add: ["NET_BIND_SERVICE"] EOL + # shellcheck disable=SC1083 -find ./ -name '*imaginary-deployment.yaml*' -exec sed -i "/^ securityContext:$/r /tmp/security.conf" \{} \; +find ./ -name '*apache-deployment.yaml*' -exec sed -i "/^ securityContext:$/r /tmp/security.conf" \{} \; cat << EOL > /tmp/security.conf {{- if eq (.Values.RPSS_ENABLED | default "no") "yes" }} # AIO-config - do not change this comment! @@ -490,7 +491,6 @@ cat << EOL > /tmp/security.conf {{- else }} drop: ["NET_RAW"] {{- end }} - add: ["NET_BIND_SERVICE"] {{- end }} # AIO-config - do not change this comment! EOL # shellcheck disable=SC1083