openDesk Hilfe

Kubernetes Security Context

Container Security Context

The containerSecurityContext is the most important security-related section because it has the highest precedence and restricts the container to its minimal privileges.

allowPrivilegeEscalation

Privilege escalation (such as via set-user-ID or set-group-ID file mode) should not be allowed (Linux only) at any time.

containerSecurityContext:
  allowPrivilegeEscalation: false

capabilities

Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability (Linux only).

Optimal:

containerSecurityContext:
  capabilities:
    drop:
      - "ALL"

Allowed:

containerSecurityContext:
  capabilities:
    drop:
      - "ALL"
    add:
      - "NET_BIND_SERVICE"

privileged

Privileged Pods eliminate most security mechanisms and must be disallowed.

containerSecurityContext:
  privileged: false

runAsUser

Containers should set a user id >= 1000 and never use 0 (root) as user.

containerSecurityContext:
  runAsUser: 1000

runAsGroup

Containers should set a group id >= 1000 and never use 0 (root) as user.

containerSecurityContext:
  runAsGroup: 1000

seccompProfile

The seccompProfile must be explicitly set to one of the allowed values. An unconfined profile and the complete absence of the profile are prohibited.

containerSecurityContext:
  seccompProfile:
    type: "RuntimeDefault"

or

containerSecurityContext:
  seccompProfile:
    type: "Localhost"

readOnlyRootFilesystem

Containers should have an immutable file systems, so that attackers can not modify application code or download malicious code.

containerSecurityContext:
  readOnlyRootFilesystem: true

runAsNonRoot

Containers must be required to run as non-root users.

containerSecurityContext:
  runAsNonRoot: true

Status quo

openDesk aims to ensure that all security relevant settings are explicitly templated and comply with security recommendations.

The rendered manifests are also validated against Kyverno policies in CI to ensure that the provided values inside openDesk are properly templated by the Helm charts.

This list gives you an overview of templated security settings and if they comply with security standards:

  • yes: Value is set to true
  • no: Value is set to false
  • n/a: Not explicitly templated in openDesk; default is used.
processstatusallowPrivilegeEscalationprivilegedreadOnlyRootFilesystemrunAsNonRootrunAsUserrunAsGroupseccompProfilecapabilities
collabora/collabora-online:x:yesnonoyes10011001yesno [“CHOWN”,“FOWNER”,“SYS_CHROOT”]
cryptpad/cryptpad:x:nononoyes40014001yesyes
element/matrix-neoboard-widget:white_check_mark:nonoyesyes101101yesyes
element/matrix-neochoice-widget:white_check_mark:nonoyesyes101101yesyes
element/matrix-neodatefix-bot:white_check_mark:nonoyesyes101101yesyes
element/matrix-neodatefix-bot-bootstrap:white_check_mark:nonoyesyes101101yesyes
element/matrix-neodatefix-widget:white_check_mark:nonoyesyes101101yesyes
element/opendesk-element:white_check_mark:nonoyesyes101101yesyes
element/opendesk-matrix-user-verification-service:x:nononoyes10001000yesyes
element/opendesk-matrix-user-verification-service-bootstrap:white_check_mark:nonoyesyes101101yesyes
element/opendesk-synapse:white_check_mark:nonoyesyes1099110991yesyes
element/opendesk-synapse-web:white_check_mark:nonoyesyes101101yesyes
element/opendesk-well-known:white_check_mark:nonoyesyes101101yesyes
jitsi/jitsi:white_check_mark:nonoyesyes19931993yesyes
jitsi/jitsi/jitsi/jibri:x:n/an/an/an/an/an/an/ano [“SYS_ADMIN”]
jitsi/jitsi/jitsi/jicofo:x:nononono00yesno
jitsi/jitsi/jitsi/jigasi:x:nononono00yesno
jitsi/jitsi/jitsi/jvb:x:nononono00yesno
jitsi/jitsi/jitsi/prosody:x:nononono00yesno
jitsi/jitsi/jitsi/web:x:nononono00yesno
jitsi/jitsi/patchJVB:white_check_mark:nonoyesyes10011001yesyes
nextcloud/opendesk-nextcloud-management:x:nononoyes101101yesyes
nextcloud/opendesk-nextcloud-notifypush:white_check_mark:nonoyesyes101101yesyes
nextcloud/opendesk-nextcloud/aio:white_check_mark:nonoyesyes101101yesyes
nextcloud/opendesk-nextcloud/exporter:white_check_mark:nonoyesyes6553265532yesyes
notes/impress/backend:white_check_mark:nonoyesyes10011001yesyes
notes/impress/frontend:white_check_mark:nonoyesyes10001000yesyes
notes/impress/y-provider:white_check_mark:nonoyesyes10011001yesyes
nubus/intercom-service:white_check_mark:nonoyesyes10001000yesyes
nubus/intercom-service/provisioning:x:n/an/an/an/an/an/ayesno
nubus/opendesk-keycloak-bootstrap:white_check_mark:nonoyesyes10001000yesyes
nubus/ums/keycloak:x:non/anoyes10001000yesyes
nubus/ums/nubusKeycloakBootstrap:x:non/ayesyes10001000yesyes
nubus/ums/nubusKeycloakExtensions/handler:x:n/an/an/an/an/an/ayesno
nubus/ums/nubusKeycloakExtensions/proxy:x:non/ayesyes10001000yesyes
nubus/ums/nubusLdapNotifier:x:non/ayesyes101102yesyes
nubus/ums/nubusNotificationsApi:x:non/ayesyes10001000yesyes
nubus/ums/nubusPortalConsumer:x:n/an/an/an/an/an/ayesno
nubus/ums/nubusPortalFrontend:x:non/ayesyes10001000yesyes
nubus/ums/nubusPortalServer:x:non/ayesyes10001000yesyes
nubus/ums/nubusProvisioning:x:non/ayesyes10001000yesyes
nubus/ums/nubusProvisioning/nats:x:non/ayesyes10001000yesyes
nubus/ums/nubusSelfServiceConsumer:x:non/ayesyes10001000yesyes
nubus/ums/nubusStackDataUms:x:non/ayesyes10001000yesyes
nubus/ums/nubusUdmListener:x:non/ayesyes10265534yesyes
nubus/ums/nubusUdmRestApi:x:non/ayesyes10001000yesyes
nubus/ums/nubusUmcGateway:x:non/ayesyes10001000yesyes
nubus/ums/nubusUmcServer:x:non/ayesyes999999yesyes
open-xchange/dovecot:x:non/ayesn/an/an/ayesno [“CHOWN”,“DAC_OVERRIDE”,“KILL”,“NET_BIND_SERVICE”,“SETGID”,“SETUID”,“SYS_CHROOT”]
open-xchange/open-xchange/appsuite/core-documentconverter:x:nononoyes9871000yesyes
open-xchange/open-xchange/appsuite/core-guidedtours:white_check_mark:nonoyesyes10001000yesyes
open-xchange/open-xchange/appsuite/core-imageconverter:x:nononoyes9871000yesyes
open-xchange/open-xchange/appsuite/core-mw/gotenberg:white_check_mark:nonoyesyes10011001yesyes
open-xchange/open-xchange/appsuite/core-ui:white_check_mark:nonoyesyes10001000yesyes
open-xchange/open-xchange/appsuite/core-ui-middleware:white_check_mark:nonoyesyes10001000yesyes
open-xchange/open-xchange/appsuite/core-user-guide:white_check_mark:nonoyesyes10001000yesyes
open-xchange/open-xchange/appsuite/guard-ui:white_check_mark:nonoyesyes10001000yesyes
open-xchange/open-xchange/nextcloud-integration-ui:x:nononoyes10001000yesyes
open-xchange/open-xchange/public-sector-ui:white_check_mark:nonoyesyes10001000yesyes
open-xchange/opendesk-open-xchange-bootstrap:x:non/ayesyes10001000yesyes
open-xchange/ox-connector:white_check_mark:nonoyesyes10001000yesyes
open-xchange/postfix-ox:x:yesyesyesno00yesno
opendesk-migrations-post/opendesk-migrations-post:white_check_mark:nonoyesyes10001000yesyes
opendesk-migrations-pre/opendesk-migrations-pre:white_check_mark:nonoyesyes10001000yesyes
opendesk-openproject-bootstrap/opendesk-openproject-bootstrap:white_check_mark:nonoyesyes10001000yesyes
opendesk-services/opendesk-static-files:white_check_mark:nonoyesyes101101yesyes
openproject/openproject:white_check_mark:nonoyesyes10001000yesyes
services-external/cassandra:white_check_mark:nonoyesyes10011001yesyes
services-external/clamav:x:nonoyesno00yesno
services-external/clamav-simple:white_check_mark:nonoyesyes100101yesyes
services-external/clamav/clamd:white_check_mark:nonoyesyes100101yesyes
services-external/clamav/freshclam:white_check_mark:nonoyesyes100101yesyes
services-external/clamav/icap:white_check_mark:nonoyesyes100101yesyes
services-external/clamav/milter:white_check_mark:nonoyesyes100101yesyes
services-external/mariadb:white_check_mark:nonoyesyes10011001yesyes
services-external/memcached:white_check_mark:nonoyesyes10011001yesyes
services-external/minio:white_check_mark:nonoyesyes10011001yesyes
services-external/opendesk-dkimpy-milter:x:yesnoyesyes10001000yesno
services-external/postfix:x:yesyesyesno00yesno
services-external/postgresql:white_check_mark:nonoyesyes10011001yesyes
services-external/redis/master:white_check_mark:nonoyesyes10011001yesyes
xwiki/xwiki:x:nononoyes100101yesyes

This file is auto-generated by openDesk CI CLI