search

nextcloud / all-in-one

📦 The official Nextcloud installation method. Provides easy deployment and maintenance with most features included in this one Nextcloud instance.
https://hub.docker.com/r/nextcloud/all-in-one
GNU Affero General Public License v3.0
5.64k stars 654 forks source link

helm: refactor securityContext #5601

Open szaimen opened 1 week ago

denppa commented 1 day ago

Thank you for your good work, it takes a lot of effort to harden the security aspect of things.

I found out that docker's SYS_ADMIN does not actually mean anything in Kubernetes. See here, and according to the docs here and specs here, all of them seem to also support this unofficial document.

And if you add CAP_SYS_ADMIN instead of SYS_ADMIN, it will block allowPrivilegeEscalation to be set to true. Also, when CAP_SYS_ADMIN is added, Collabora forks and works. Therefore, it would be great if you can include this change in the heml charts.

szaimen commented 1 day ago

Hi, thanks for your pointer! I'll look into it!