diff --git a/charts/nextcloud/README.md b/charts/nextcloud/README.md index a117aea0..a974b526 100644 --- a/charts/nextcloud/README.md +++ b/charts/nextcloud/README.md @@ -106,12 +106,13 @@ The following table lists the configurable parameters of the nextcloud chart and | `nextcloud.extraInitContainers` | specify additional init containers | `[]` | | `nextcloud.extraVolumes` | specify additional volumes for the NextCloud pod | `{}` | | `nextcloud.extraVolumeMounts` | specify additional volume mounts for the NextCloud pod | `{}` | -| `nextcloud.securityContext` | Optional security context for the NextCloud container | `{}` populated with below 3 options | +| `nextcloud.securityContext` | Optional security context for the NextCloud container | `{}` populated with below 4 options | | `nextcloud.securityContext.runAsUser` | Optional security context for the NextCloud container to run as UID | `33` | | `nextcloud.securityContext.runAsGroup` | Optional security context for the NextCloud container to run as GID | `33` | | `nextcloud.securityContext.runAsNonRoot` | Optional security context for the NextCloud container to not run as root | `true` | | `nextcloud.securityContext.allowPrivilegeEscalation` | Optional security context for the NextCloud container to limit Privilege Escalation | `false` | -| `nextcloud.podSecurityContext` | Optional security context for the NextCloud pod (applies to all containers in the pod) | `nil` | +| `nextcloud.podSecurityContext` | Optional security context for the NextCloud pod (applies to all containers in the pod) | `{fsgroup: 33}` | +| `nextcloud.podSecurityContext.fsGroup` | special supplemental group that applies to all containers in the NextCloud pod | `33` | | `nginx.enabled` | Enable nginx (requires you use php-fpm image) | `false` | | `nginx.image.repository` | nginx Image name | `nginx` | | `nginx.image.tag` | nginx Image tag | `alpine` | @@ -427,4 +428,6 @@ These are all the [securityContext](https://kubernetes.io/docs/reference/generat | `cronjob.securityContext.runAsNonRoot` | Optional security context for cronjob | | `nextcloud.podSecurityContext` | Optional security context for the NextCloud pod (applies to all containers in the pod) | -By default, only the `nextcloud.securityContext.runAsUser` and `nextcloud.securityContext.runAsGroup` for the nextcloud container are set, and the UID defaults to `33`, which is the UID of the `www-data` user. If you're using a nextcloud image with Alpine as the base, set this to `82`, the `www-data` user on alpine. +For the container, by default, only the `nextcloud.securityContext.runAsUser` and `nextcloud.securityContext.runAsGroup` for the nextcloud container are set, and the UID defaults to `33`, which is the UID of the `www-data` user. If you're using a nextcloud image with Alpine as the base, set this to `82`, the `www-data` user on alpine. + +For the pod, `nextcloud.podSecurityContext.fsGroup` is set to `33` by default. You should set this to `82` if you're using an alpine image. See more about how this special option works [here](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#podsecuritycontext-v1-core). diff --git a/charts/nextcloud/values.yaml b/charts/nextcloud/values.yaml index 4d986974..e3d32b2a 100644 --- a/charts/nextcloud/values.yaml +++ b/charts/nextcloud/values.yaml @@ -200,14 +200,14 @@ nextcloud: allowPrivilegeEscalation: false # readOnlyRootFilesystem: false - # Set securityContext parameters for all containers in the nextcloud pod. - # For example, you may need to define fsGroup to change the default permissions for volumes - podSecurityContext: {} - # fsGroup: 33 - # runAsUser: 33 - # runAsGroup: 33 - # runAsNonRoot: true - # readOnlyRootFilesystem: false + # Set securityContext parameters for all containers in the nextcloud pod, defaults to fsGroup `33` + # For example, you may need to define fsGroup to be `82` if you're using alpine and you want to change the default permissions for volumes + podSecurityContext: + fsGroup: 33 + # runAsUser: 33 + # runAsGroup: 33 + # runAsNonRoot: true + # readOnlyRootFilesystem: false nginx: ## You need to set an fpm version of the image for nextcloud if you want to use nginx!