fix(mok): Add missing FOWNER capability to setup chroot directories

742e3587 · Sheogorath · 45b359c7 · 742e3587 · 742e3587 · 742e3587
Verified Commit 742e3587 authored 2 years ago by Sheogorath
--- a/charts/mok/README.md
+++ b/charts/mok/README.md
@@ -39,6 +39,7 @@ Mail on Kubernetes (MoK) is a project to deploy a functional mailserver that run
 | dovecot.securityContext.capabilities.add[2] | string | `"CAP_NET_BIND_SERVICE"` | required to bind privileged ports in the container, such as 993, 143, 24, etc. |
 | dovecot.securityContext.capabilities.add[3] | string | `"SETUID"` | required to drop privileges with dovecot process |
 | dovecot.securityContext.capabilities.add[4] | string | `"SETGID"` | required to drop privileges with dovecot process |
+| dovecot.securityContext.capabilities.add[5] | string | `"FOWNER"` | required to create spool directories |
 | dovecot.securityContext.capabilities.drop[0] | string | `"ALL"` | required to drop privileges by default |
 | dovecot.securityContext.runAsNonRoot | bool | `false` |  |
 | dovecot.service.internal.type | string | `"ClusterIP"` | type of the public endpoint for lmtp, metrics, authentication |

--- a/charts/mok/tests/__snapshot__/dovecot_test.yaml.snap
+++ b/charts/mok/tests/__snapshot__/dovecot_test.yaml.snap
@@ -122,6 +122,7 @@ should match snapshot:
                - CAP_NET_BIND_SERVICE
                - SETUID
                - SETGID
+                - FOWNER
                drop:
                - ALL
              runAsNonRoot: false

--- a/charts/mok/values.yaml
+++ b/charts/mok/values.yaml
@@ -136,6 +136,8 @@ dovecot:
        - SETUID
        # -- required to drop privileges with dovecot process
        - SETGID
+        # -- required to create spool directories
+        - FOWNER
      drop:
        # -- required to drop privileges by default
        - ALL