Merge pull request #5831 from nextcloud/enh/noid/remove-nbs-if-not-need

helm: remove NET_BIND_SERVICE if not needed

Author: szaimen

nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-deployment.yaml

@@ -53,7 +53,6 @@ spec:
               {{- else }}
               drop: ["NET_RAW"]
               {{- end }}
-              add: ["NET_BIND_SERVICE"]
       containers:
         - env:
             - name: CLAMD_STARTUP_TIMEOUT
@@ -92,7 +91,6 @@ spec:
               {{- else }}
               drop: ["NET_RAW"]
               {{- end }}
-              add: ["NET_BIND_SERVICE"]
           volumeMounts:
             - mountPath: /var/lib/clamav
               subPath: data

nextcloud-aio-helm-chart/templates/nextcloud-aio-database-deployment.yaml

@@ -52,7 +52,6 @@ spec:
               {{- else }}
               drop: ["NET_RAW"]
               {{- end }}
-              add: ["NET_BIND_SERVICE"]
       containers:
         - env:
             - name: PGTZ
@@ -93,7 +92,6 @@ spec:
               {{- else }}
               drop: ["NET_RAW"]
               {{- end }}
-              add: ["NET_BIND_SERVICE"]
           volumeMounts:
             - mountPath: /var/lib/postgresql/data
               subPath: data

nextcloud-aio-helm-chart/templates/nextcloud-aio-imaginary-deployment.yaml

@@ -66,6 +66,4 @@ spec:
               {{- else }}
               drop: ["NET_RAW"]
               {{- end }}
-              add:
-                - NET_BIND_SERVICE
 {{- end }}

nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-deployment.yaml

@@ -191,7 +191,6 @@ spec:
               {{- else }}
               drop: ["NET_RAW"]
               {{- end }}
-              add: ["NET_BIND_SERVICE"]
           {{- end }} # AIO-config - do not change this comment!
           readinessProbe:
             exec:

nextcloud-aio-helm-chart/templates/nextcloud-aio-notify-push-deployment.yaml

@@ -81,7 +81,6 @@ spec:
               {{- else }}
               drop: ["NET_RAW"]
               {{- end }}
-              add: ["NET_BIND_SERVICE"]
           volumeMounts:
             - mountPath: /nextcloud
               name: nextcloud-aio-nextcloud

nextcloud-aio-helm-chart/templates/nextcloud-aio-redis-deployment.yaml

@@ -67,7 +67,6 @@ spec:
               {{- else }}
               drop: ["NET_RAW"]
               {{- end }}
-              add: ["NET_BIND_SERVICE"]
           volumeMounts:
             - mountPath: /data
               name: nextcloud-aio-redis

nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-deployment.yaml

@@ -84,5 +84,4 @@ spec:
               {{- else }}
               drop: ["NET_RAW"]
               {{- end }}
-              add: ["NET_BIND_SERVICE"]
 {{- end }}

nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-recording-deployment.yaml

@@ -72,7 +72,6 @@ spec:
               {{- else }}
               drop: ["NET_RAW"]
               {{- end }}
-              add: ["NET_BIND_SERVICE"]
           volumeMounts:
             - mountPath: /tmp
               name: nextcloud-aio-talk-recording

nextcloud-aio-helm-chart/templates/nextcloud-aio-whiteboard-deployment.yaml

@@ -74,5 +74,4 @@ spec:
               {{- else }}
               drop: ["NET_RAW"]
               {{- end }}
-              add: ["NET_BIND_SERVICE"]
 {{- end }}

nextcloud-aio-helm-chart/update-helm.sh

@@ -55,7 +55,7 @@ yq -i 'del(.services.[].tmpfs)' latest.yml
 # Remove cap_drop in order to add it later again easier
 yq -i 'del(.services.[].cap_drop)' latest.yml
 # Remove SYS_NICE for imaginary as it is not supported with RPSS
-sed -i "s|- SYS_NICE$|- NET_BIND_SERVICE|" latest.yml
+yq -i 'del(.services."nextcloud-aio-imaginary".cap_add)' latest.yml
 # cap SYS_ADMIN is called CAP_SYS_ADMIN in k8s
 sed -i "s|- SYS_ADMIN$|- CAP_SYS_ADMIN|" latest.yml
 
@@ -461,10 +461,9 @@ cat << EOL > /tmp/security.conf
               {{- else }}
               drop: ["NET_RAW"]
               {{- end }}
-              add: ["NET_BIND_SERVICE"]
 EOL
 # shellcheck disable=SC1083
-find ./ \( -not -name '*collabora-deployment.yaml*' -not -name '*imaginary-deployment.yaml*' -not -name '*onlyoffice-deployment.yaml*' -name "*deployment.yaml" \) -exec sed -i "/^          securityContext:$/r /tmp/security.conf" \{} \; 
+find ./ \( -not -name '*collabora-deployment.yaml*' -not -name '*apache-deployment.yaml*' -not -name '*onlyoffice-deployment.yaml*' -name "*deployment.yaml" \) -exec sed -i "/^          securityContext:$/r /tmp/security.conf" \{} \; 
 
 cat << EOL > /tmp/security.conf
             # The items below only work in container context
@@ -475,9 +474,11 @@ cat << EOL > /tmp/security.conf
               {{- else }}
               drop: ["NET_RAW"]
               {{- end }}
+              add: ["NET_BIND_SERVICE"]
 EOL
+
 # shellcheck disable=SC1083
-find ./ -name '*imaginary-deployment.yaml*' -exec sed -i "/^          securityContext:$/r /tmp/security.conf" \{} \; 
+find ./ -name '*apache-deployment.yaml*' -exec sed -i "/^          securityContext:$/r /tmp/security.conf" \{} \; 
 
 cat << EOL > /tmp/security.conf
           {{- if eq (.Values.RPSS_ENABLED | default "no") "yes" }} # AIO-config - do not change this comment!
@@ -490,7 +491,6 @@ cat << EOL > /tmp/security.conf
               {{- else }}
               drop: ["NET_RAW"]
               {{- end }}
-              add: ["NET_BIND_SERVICE"]
           {{- end }} # AIO-config - do not change this comment!
 EOL
 # shellcheck disable=SC1083