add better comments for podSecurityContext and fix README table to ha…

…ve allowPrivilegeEscalation Signed-off-by: Jesse Hitch <[email protected]>
nextcloud · Apr 23, 2023 · 4ee5f70 · 4ee5f70
1 parent 7a8e97b
commit 4ee5f70
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 2 deletions.
diff --git a/charts/nextcloud/README.md b/charts/nextcloud/README.md
@@ -110,6 +110,7 @@ The following table lists the configurable parameters of the nextcloud chart and
 | `nextcloud.securityContext.runAsUser`                                | Optional security context for the NextCloud container to run as UID                    | `33`                                         |
 | `nextcloud.securityContext.runAsGroup`                               | Optional security context for the NextCloud container to run as GID                    | `33`                                         |
 | `nextcloud.securityContext.runAsNonRoot`                             | Optional security context for the NextCloud container to not run as root               | `true`                                       |
+| `nextcloud.securityContext.allowPrivilegeEscalation`                 | Optional security context for the NextCloud container to limit Privilege Escalation    | `false`                                      |
 | `nextcloud.podSecurityContext`                                       | Optional security context for the NextCloud pod (applies to all containers in the pod) | `nil`                                        |
 | `nginx.enabled`                                                      | Enable nginx (requires you use php-fpm image)                                          | `false`                                      |
 | `nginx.image.repository`                                             | nginx Image name                                                                       | `nginx`                                      |

diff --git a/charts/nextcloud/templates/deployment.yaml b/charts/nextcloud/templates/deployment.yaml
@@ -335,6 +335,7 @@ spec:
           {{- toYaml . | nindent 8 }}
         {{- end }}
       {{- else }}
+        # this is deprecated and will be removed in a future release - use nextcloud.podSecurityContext instead
         {{- if .Values.securityContext }}
           {{- with .Values.securityContext }}
             {{- toYaml . | nindent 8 }}

diff --git a/charts/nextcloud/values.yaml b/charts/nextcloud/values.yaml
@@ -193,15 +193,17 @@ nextcloud:
 
   # Set securityContext parameters for the nextcloud CONTAINER only (will not affect nginx container).
   securityContext:
-    # if using a nextcloud image with alpine as the base image, change to 33 to 82
+    # if using a nextcloud image with alpine as the base image, change 33 to 82 for both runAsUser and runAsGroup
     runAsUser: 33
     runAsGroup: 33
     runAsNonRoot: true
     allowPrivilegeEscalation: false
     # readOnlyRootFilesystem: false
 
-  # Set securityContext parameters for the entire pod. For example, you may need to define runAsNonRoot directive
+  # Set securityContext parameters for all containers in the nextcloud pod.
+  # For example, you may need to define fsGroup to change the default permissions for volumes
   podSecurityContext: {}
+  #   fsGroup: 33
   #   runAsUser: 33
   #   runAsGroup: 33
   #   runAsNonRoot: true