mirror of
https://github.com/nextcloud/all-in-one.git
synced 2026-05-29 15:00:09 +00:00
Merge pull request #5520 from nextcloud/enh/noid/user-value
helm: add additional security settings
This commit is contained in:
Simon L.
@@ -72,6 +72,8 @@ spec:
|
||||
- containerPort: {{ .Values.APACHE_PORT }}
|
||||
protocol: UDP
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
runAsNonRoot: true
|
||||
capabilities:
|
||||
drop:
|
||||
- NET_RAW
|
||||
|
||||
@@ -59,6 +59,8 @@ spec:
|
||||
- containerPort: 3310
|
||||
protocol: TCP
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
runAsNonRoot: true
|
||||
capabilities:
|
||||
drop:
|
||||
- NET_RAW
|
||||
|
||||
@@ -42,6 +42,8 @@ spec:
|
||||
- containerPort: 9980
|
||||
protocol: TCP
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
runAsNonRoot: true
|
||||
capabilities:
|
||||
add:
|
||||
- MKNOD
|
||||
|
||||
@@ -68,6 +68,8 @@ spec:
|
||||
- containerPort: 5432
|
||||
protocol: TCP
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
runAsNonRoot: true
|
||||
capabilities:
|
||||
drop:
|
||||
- NET_RAW
|
||||
|
||||
@@ -62,6 +62,8 @@ spec:
|
||||
- containerPort: 9200
|
||||
protocol: TCP
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
runAsNonRoot: true
|
||||
capabilities:
|
||||
drop:
|
||||
- NET_RAW
|
||||
|
||||
@@ -34,6 +34,8 @@ spec:
|
||||
- containerPort: 9000
|
||||
protocol: TCP
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
runAsNonRoot: true
|
||||
capabilities:
|
||||
add:
|
||||
- SYS_NICE
|
||||
|
||||
@@ -59,6 +59,8 @@ spec:
|
||||
- containerPort: 7867
|
||||
protocol: TCP
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
runAsNonRoot: true
|
||||
capabilities:
|
||||
drop:
|
||||
- NET_RAW
|
||||
|
||||
@@ -45,6 +45,8 @@ spec:
|
||||
- containerPort: 6379
|
||||
protocol: TCP
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
runAsNonRoot: true
|
||||
capabilities:
|
||||
drop:
|
||||
- NET_RAW
|
||||
|
||||
@@ -52,6 +52,8 @@ spec:
|
||||
- containerPort: 8081
|
||||
protocol: TCP
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
runAsNonRoot: true
|
||||
capabilities:
|
||||
drop:
|
||||
- NET_RAW
|
||||
|
||||
@@ -38,6 +38,8 @@ spec:
|
||||
- containerPort: 1234
|
||||
protocol: TCP
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
runAsNonRoot: true
|
||||
capabilities:
|
||||
drop:
|
||||
- NET_RAW
|
||||
|
||||
@@ -42,6 +42,8 @@ spec:
|
||||
- containerPort: 3002
|
||||
protocol: TCP
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
runAsNonRoot: true
|
||||
capabilities:
|
||||
drop:
|
||||
- NET_RAW
|
||||
|
||||
@@ -423,6 +423,13 @@ find ./ -name "*nextcloud-aio-elasticsearch-persistentvolumeclaim.yaml" -exec se
|
||||
# shellcheck disable=SC1083
|
||||
find ./ -name "*nextcloud-aio-elasticsearch-persistentvolumeclaim.yaml" -exec sed -i "$ a {{- end }}" \{} \;
|
||||
|
||||
cat << EOL >> /tmp/security.conf
|
||||
allowPrivilegeEscalation: false
|
||||
runAsNonRoot: true
|
||||
EOL
|
||||
# shellcheck disable=SC1083
|
||||
find ./ \( -not -name '*nextcloud-deployment.yaml*' -not -name '*onlyoffice-deployment.yaml*' -name "*deployment.yaml" \) -exec sed -i "/^.*securityContext:$/r /tmp/security.conf" \{} \;
|
||||
|
||||
chmod 777 -R ./
|
||||
|
||||
# Seems like the dir needs to match the name of the chart
|
||||
|
||||
Reference in New Issue
Block a user