Skip to content

Commit

Permalink
feat(host-shield): [SMAGENT-8607] Allow for custom security context
Browse files Browse the repository at this point in the history 
This is the equivalent of #2062 on the host-shield side.
  • Loading branch information
@iurly
iurly committed Jan 14, 2025
1 parent 8d8c78e commit 0238f7c
Show file tree
Hide file tree
Showing 5 changed files with 153 additions and 16 deletions.
1 change: 1 addition & 0 deletions charts/shield/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -126,6 +126,7 @@ The following table lists the configurable parameters of the `shield` chart and
| features.monitor.statsd.enabled | | <code>false</code> |
| host.driver | The driver to use for the host agent (Accepted Values: kmod, legacy_ebpf, universal_ebpf) | <code>kmod</code> |
| host.additional_settings | Additional settings to be passed to the host shield (overrides the helm generated settings) | <code>{}</code> |
| host.custom_security_context | Allows overriding the Security Context of the Agent pod(s). Primarily intended resolving targeted incidents and debugging | <code>{}</code> |
| host.image.registry | The registry where the host shield images are stored | <code>quay.io</code> |
| host.image.repository | The repository where the host shield images are stored | <code>sysdig</code> |
| host.image.kmodule_name | The image name for the host shield kmodule drive | <code>agent-kmodule</code> |
Expand Down
21 changes: 21 additions & 0 deletions charts/shield/templates/host/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -148,3 +148,24 @@ true
- SYS_PTRACE
- SYS_RESOURCE
{{- end -}}

{{- define "host.security_context" -}}
{{- if .Values.host.custom_security_context }}
{{- toYaml .Values.host.custom_security_context -}}
{{- else if .Values.host.privileged }}
privileged: true
runAsNonRoot: false
runAsUser: 0
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
{{- else }}
allowPrivilegeEscalation: false
seccompProfile:
type: Unconfined
capabilities:
drop:
- ALL
add:
{{- include "host.capabilities" . | nindent 4 }}
{{- end }}
{{- end -}}
17 changes: 1 addition & 16 deletions charts/shield/templates/host/daemonset.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -105,22 +105,7 @@ spec:
resources:
{{- (include "host.resources" .) | nindent 12 }}
securityContext:
{{- if .Values.host.privileged }}
privileged: true
runAsNonRoot: false
runAsUser: 0
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
{{- else }}
allowPrivilegeEscalation: false
seccompProfile:
type: Unconfined
capabilities:
drop:
- ALL
add:
{{- include "host.capabilities" . | nindent 16 }}
{{- end }}
{{- (include "host.security_context" .) | nindent 12 }}
env:
- name: K8S_NODE
valueFrom:
Expand Down
128 changes: 128 additions & 0 deletions charts/shield/tests/host/security_context_test.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,128 @@
suite: Security Context tests
templates:
- templates/host/daemonset.yaml
kubernetesProvider:
scheme:
"v1/Node":
gvr:
version: "v1"
resource: "nodes"
namespaced: false
objects:
- apiVersion: v1
kind: Node
metadata:
name: fakenode
status:
nodeInfo:
osImage: fake-os-image
values:
- ../values/base.yaml
tests:
- it: Ensure the securityContext for a privileged agent is exactly what was defined
set:
asserts:
- equal:
path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].securityContext
value:
allowPrivilegeEscalation: true
privileged: true
readOnlyRootFilesystem: false
runAsNonRoot: false
runAsUser: 0

- it: Ensure the securityContext for a non-privileged agent contains the keys defined
set:
host:
privileged: false
driver: universal_ebpf
asserts:
- isSubset:
path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].securityContext
content:
allowPrivilegeEscalation: false
seccompProfile:
type: Unconfined
- isNotSubset:
path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].securityContext
content:
allowPrivilegeEscalation: false
privileged: true
readOnlyRootFilesystem: false
runAsNonRoot: false
runAsUser: 0

- it: Ensure the custom_security_context is honored
set:
host:
custom_security_context:
allowPrivilegeEscalation: true
readOnlyRootFilesystem: false
runAsNonRoot: false
runAsUser: 0
seLinuxOptions:
type: super_t
seccompProfile:
type: Unconfined
capabilities:
add:
- AUDIT_CONTROL
- BLOCK_SUSPEND
- DAC_READ_SEARCH
- IPC_LOCK
- IPC_OWNER
- LEASE
- LINUX_IMMUTABLE
- MAC_ADMIN
- MAC_OVERRIDE
- NET_ADMIN
- NET_BROADCAST
- SYSLOG
- SYS_ADMIN
- SYS_BOOT
- SYS_MODULE
- SYS_NICE
- SYS_PACCT
- SYS_PTRACE
- SYS_RAWIO
- SYS_RESOURCE
- SYS_TIME
- SYS_TTY_CONFIG
- WAKE_ALARM
asserts:
- equal:
path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].securityContext
value:
allowPrivilegeEscalation: true
readOnlyRootFilesystem: false
runAsNonRoot: false
runAsUser: 0
seLinuxOptions:
type: super_t
seccompProfile:
type: Unconfined
capabilities:
add:
- AUDIT_CONTROL
- BLOCK_SUSPEND
- DAC_READ_SEARCH
- IPC_LOCK
- IPC_OWNER
- LEASE
- LINUX_IMMUTABLE
- MAC_ADMIN
- MAC_OVERRIDE
- NET_ADMIN
- NET_BROADCAST
- SYSLOG
- SYS_ADMIN
- SYS_BOOT
- SYS_MODULE
- SYS_NICE
- SYS_PACCT
- SYS_PTRACE
- SYS_RAWIO
- SYS_RESOURCE
- SYS_TIME
- SYS_TTY_CONFIG
- WAKE_ALARM
2 changes: 2 additions & 0 deletions charts/shield/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -157,6 +157,8 @@ host:
driver: kmod
# Additional settings to be passed to the host shield (overrides the helm generated settings)
additional_settings: {}
# Allows overriding the Security Context of the Agent pod(s). Primarily intended resolving targeted incidents and debugging.
custom_security_context: {}
image:
# The registry where the host shield images are stored
registry: quay.io
Expand Down

0 comments on commit 0238f7c

Please sign in to comment.