Remove security context

This commit is contained in:
Micke Nordin 2023-03-29 16:47:19 +02:00
parent 761eb6362f
commit cd9db1cd36
Signed by untrusted user: Micke
GPG key ID: 0DA0A7A5708FE257
2 changed files with 1 additions and 106 deletions

View file

@ -32,48 +32,6 @@ data:
</IfModule> </IfModule>
</Directory> </Directory>
</VirtualHost> </VirtualHost>
apache2.conf: |
DefaultRuntimeDir ${APACHE_RUN_DIR}
PidFile ${APACHE_PID_FILE}
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 5
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
HostnameLookups Off
ErrorLog /dev/stderr
CustomLog /dev/stdout common
TransferLog /dev/stdout
LogLevel debug
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf
Include ports.conf
<Directory />
Options FollowSymLinks
AllowOverride None
Require all denied
</Directory>
<Directory /usr/share>
AllowOverride None
Require all granted
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
AccessFileName .htaccess
<FilesMatch "^\.ht">
Require all denied
</FilesMatch>
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
IncludeOptional conf-enabled/*.conf
IncludeOptional sites-enabled/*.conf
config.php: | config.php: |
<?php <?php
$CONFIG = array ( $CONFIG = array (
@ -179,20 +137,5 @@ data:
), ),
); );
envars: |
unset HOME
if [ "${APACHE_CONFDIR##/etc/apache2-}" != "${APACHE_CONFDIR}" ] ; then
SUFFIX="-${APACHE_CONFDIR##/etc/apache2-}"
else
SUFFIX=
fi
export APACHE_RUN_USER=www-data
export APACHE_RUN_GROUP=www-data
export APACHE_PID_FILE=/var/run/apache2$SUFFIX/apache2.pid
export APACHE_RUN_DIR=/var/run/apache2$SUFFIX
export APACHE_LOCK_DIR=/var/lock/apache2$SUFFIX
export APACHE_LOG_DIR=/tmp$SUFFIX
export LANG=C
export LANG
ports.conf: | ports.conf: |
Listen 8080 Listen 8080

View file

@ -27,13 +27,6 @@ spec:
app: customer-node app: customer-node
spec: spec:
restartPolicy: Always restartPolicy: Always
securityContext:
privileged: false
runAsNonRoot: true
allowPrivilegeEscalation: false
runAsUser: 33
runAsGroup: 33
fsGroup: 33
containers: containers:
- name: customer - name: customer
image: docker.sunet.se/drive/nextcloud-custom:25.0.3.3-4 image: docker.sunet.se/drive/nextcloud-custom:25.0.3.3-4
@ -44,24 +37,9 @@ spec:
- name: default-config - name: default-config
mountPath: /etc/apache2/sites-enabled/000-default.conf mountPath: /etc/apache2/sites-enabled/000-default.conf
subPath: 000-default.conf subPath: 000-default.conf
- name: apache2-config
mountPath: /etc/apache2/apache2.conf
subPath: apache2.conf
- name: envars
mountPath: /etc/apache2/envars
subPath: envars
- name: ports-config - name: ports-config
mountPath: /etc/apache2/ports.conf mountPath: /etc/apache2/ports.conf
subPath: ports.conf subPath: ports.conf
- name: log-volume
mountPath: /var/log/apache2
subPath: apache2
- name: conf-volume
mountPath: /etc/apache2/mods-enabled
subPath: mods-enabled
- name: run-volume
mountPath: /var/run/apache2
subPath: apache2
- name: hugepage - name: hugepage
mountPath: /dev/hugepages mountPath: /dev/hugepages
resources: resources:
@ -87,13 +65,11 @@ spec:
- containerPort: 8080 - containerPort: 8080
name: nextcloud-http name: nextcloud-http
command: ["/bin/bash"] command: ["/bin/bash"]
args: ["-c", "cp /etc/apache2/mods-available/{access_compat.load,alias.conf,alias.load,auth_basic.load,authn_core.load,authn_file.load,authz_core.load,authz_host.load,authz_user.load,autoindex.conf,autoindex.load,deflate.conf,deflate.load,dir.conf,dir.load,env.load,filter.load,mime.conf,mime.load,mpm_prefork.conf,mpm_prefork.load,negotiation.conf,negotiation.load,php8.0.conf,php8.0.load,reqtimeout.conf,reqtimeout.load,rewrite.load,setenvif.conf,setenvif.load,socache_shmcb.load,status.conf,status.load} /etc/apache2/mods-enabled; apachectl -D FOREGROUND"] args: ["-c", "apachectl -D FOREGROUND"]
#command: ["/bin/sh","-c", "apachectl -D FOREGROUND; tail -f /dev/null"] #command: ["/bin/sh","-c", "apachectl -D FOREGROUND; tail -f /dev/null"]
initContainers: initContainers:
- image: docker.sunet.se/sunet/docker-jinja:latest - image: docker.sunet.se/sunet/docker-jinja:latest
name: init-config name: init-config
securityContext:
privileged: true
volumeMounts: volumeMounts:
- name: nextcloud-config-template - name: nextcloud-config-template
mountPath: /tmp/config.php.template mountPath: /tmp/config.php.template
@ -101,9 +77,6 @@ spec:
- name: nextcloud-data - name: nextcloud-data
mountPath: /var/www/html/config mountPath: /var/www/html/config
subPath: config subPath: config
- name: conf-volume
mountPath: /etc/apache2/mods-enabled
subPath: mods-enabled
env: env:
- name: GSS_MASTER_URL - name: GSS_MASTER_URL
value: "https://drive.test.sunet.se" value: "https://drive.test.sunet.se"
@ -205,39 +178,18 @@ spec:
items: items:
- key: "config.php" - key: "config.php"
path: "config.php" path: "config.php"
- name: apache2-config
configMap:
name: nextcloud-configmap
items:
- key: "apache2.conf"
path: "apache2.conf"
- name: default-config - name: default-config
configMap: configMap:
name: nextcloud-configmap name: nextcloud-configmap
items: items:
- key: "000-default.conf" - key: "000-default.conf"
path: "000-default.conf" path: "000-default.conf"
- name: envars
configMap:
name: nextcloud-configmap
items:
- key: "envars"
path: "envars"
- name: ports-config - name: ports-config
configMap: configMap:
name: nextcloud-configmap name: nextcloud-configmap
items: items:
- key: "ports.conf" - key: "ports.conf"
path: "ports.conf" path: "ports.conf"
- name: run-volume
emptyDir:
sizeLimit: 500Mi
- name: log-volume
emptyDir:
sizeLimit: 500Mi
- name: conf-volume
emptyDir:
sizeLimit: 500Mi
- name: hugepage - name: hugepage
emptyDir: emptyDir:
medium: HugePages medium: HugePages