modify chart to not set fsGroup at all, but set a default securityCon…

…text for nextcloud container with docs Signed-off-by: Jesse Hitch <[email protected]>
nextcloud · Apr 23, 2023 · 7a8e97b · 7a8e97b
1 parent d670134
commit 7a8e97b
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 15 deletions.
diff --git a/charts/nextcloud/Chart.yaml b/charts/nextcloud/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: nextcloud
-version: 3.5.10
+version: 3.6.0
 appVersion: 26.0.1
 description: A file sharing server that puts the control and security of your own data back into your hands.
 keywords:

diff --git a/charts/nextcloud/README.md b/charts/nextcloud/README.md
@@ -106,7 +106,10 @@ The following table lists the configurable parameters of the nextcloud chart and
 | `nextcloud.extraInitContainers`                                      | specify additional init containers                                                     | `[]`                                         |
 | `nextcloud.extraVolumes`                                             | specify additional volumes for the NextCloud pod                                       | `{}`                                         |
 | `nextcloud.extraVolumeMounts`                                        | specify additional volume mounts for the NextCloud pod                                 | `{}`                                         |
-| `nextcloud.securityContext`                                          | Optional security context for the NextCloud container                                  | `nil`                                        |
+| `nextcloud.securityContext`                                          | Optional security context for the NextCloud container                                  | `{}` populated with below 3 options          |
+| `nextcloud.securityContext.runAsUser`                                | Optional security context for the NextCloud container to run as UID                    | `33`                                         |
+| `nextcloud.securityContext.runAsGroup`                               | Optional security context for the NextCloud container to run as GID                    | `33`                                         |
+| `nextcloud.securityContext.runAsNonRoot`                             | Optional security context for the NextCloud container to not run as root               | `true`                                       |
 | `nextcloud.podSecurityContext`                                       | Optional security context for the NextCloud pod (applies to all containers in the pod) | `nil`                                        |
 | `nginx.enabled`                                                      | Enable nginx (requires you use php-fpm image)                                          | `false`                                      |
 | `nginx.image.repository`                                             | nginx Image name                                                                       | `nginx`                                      |
@@ -411,3 +414,16 @@ persistence:
   enabled: true
   accessMode: ReadWriteMany
 ```
+
+## Security Contexts
+
+These are all the [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#securitycontext-v1-core) objects you can configure for this helm chart:
+
+| config option                            | Description                                                                            |
+|:----------------------------------------:|:---------------------------------------------------------------------------------------|
+| `nextcloud.securityContext`              | Optional security context for the NextCloud container                                  |
+| `nginx.securityContext.runAsUser`        | Optional security context for the nginx container                                      |
+| `cronjob.securityContext.runAsNonRoot`   | Optional security context for cronjob                                                  |
+| `nextcloud.podSecurityContext`           | Optional security context for the NextCloud pod (applies to all containers in the pod) |
+
+By default, only the `nextcloud.securityContext.runAsUser` and `nextcloud.securityContext.runAsGroup` for the nextcloud container are set, and the UID defaults to `33`, which is the UID of the `www-data` user. If you're using a nextcloud image with Alpine as the base, set this to `82`, the `www-data` user on alpine.
diff --git a/charts/nextcloud/templates/deployment.yaml b/charts/nextcloud/templates/deployment.yaml
@@ -335,13 +335,6 @@ spec:
           {{- toYaml . | nindent 8 }}
         {{- end }}
       {{- else }}
-        {{- if .Values.nginx.enabled }}
-        # Will mount configuration files as www-data (id: 82) for nextcloud
-        fsGroup: 82
-        {{- else }}
-        # Will mount configuration files as www-data (id: 33) for nextcloud
-        fsGroup: 33
-        {{- end }}
         {{- if .Values.securityContext }}
           {{- with .Values.securityContext }}
             {{- toYaml . | nindent 8 }}

diff --git a/charts/nextcloud/values.yaml b/charts/nextcloud/values.yaml
@@ -192,12 +192,13 @@ nextcloud:
   #    mountPath: "/legacy_data"
 
   # Set securityContext parameters for the nextcloud CONTAINER only (will not affect nginx container).
-  # For example, you may need to define runAsNonRoot directive
-  securityContext: {}
-  #   runAsUser: 33
-  #   runAsGroup: 33
-  #   runAsNonRoot: true
-  #   readOnlyRootFilesystem: false
+  securityContext:
+    # if using a nextcloud image with alpine as the base image, change to 33 to 82
+    runAsUser: 33
+    runAsGroup: 33
+    runAsNonRoot: true
+    allowPrivilegeEscalation: false
+    # readOnlyRootFilesystem: false
 
   # Set securityContext parameters for the entire pod. For example, you may need to define runAsNonRoot directive
   podSecurityContext: {}