Skip to content

Commit

Permalink
feat(agent): [SMAGENT-8424] Allow for custom security context (#2062)
Browse files Browse the repository at this point in the history 
Introduce a new top-level entry customSecurityContext in Values, so to be able to override the securityContext automatically populated by the chart. This is to be used sparingly, and particularly in circumstances where a very harcoded securityContext should be used instead (like in the case of BottleRocket).
  • Loading branch information
@iurly
iurly authored Dec 6, 2024
1 parent 45a46d5 commit 2f61bf4
Show file tree
Hide file tree
Showing 7 changed files with 156 additions and 20 deletions.
2 changes: 1 addition & 1 deletion charts/agent/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,4 +30,4 @@ sources:
- https://app.sysdigcloud.com/#/settings/user
- https://github.com/draios/sysdig
type: application
version: 1.33.0
version: 1.34.0
3 changes: 2 additions & 1 deletion charts/agent/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -173,6 +173,7 @@ The following table lists the configurable parameters of the Sysdig chart and th
| `extraVolumes.volumes` | Specifies the additional volumes to mount in the sysdig agent to pass new secrets or configmaps | `[]` |
| `extraVolumes.mounts` | Specifies the mount points for additional volumes | `[]` |
| `extraSecrets` | Allows passing extra secrets that can be mounted via extraVolumes | `[]` |
| `customSecurityContext` | Allows overriding the Security Context of the Agent pod(s). Primarily intended resolving targeted incidents and debugging. | `[]` |
| `proxy.httpProxy` | Sets `http_proxy` on the agent container. Overrides the proxy setting from `global.proxy`. | `""` |
| `proxy.httpsProxy` | Sets `https_proxy` on the agent container. Overrides the proxy setting from `global.proxy`. | `""` |
| `proxy.noProxy` | Sets `no_proxy` on the agent container. Overrides the proxy setting from `global.proxy`. | `""` |
Expand All @@ -187,6 +188,6 @@ The following table lists the configurable parameters of the Sysdig chart and th
| `windows.resources.requests.cpu` | Specifies the CPU requested to run in a Windows node. | ` ` |
| `windows.resources.requests.memory` | Specifies the memory requested to run in a Windows node. | ` ` |
| `windows.resources.limits.cpu` | Specifies the CPU limit for Windows Agents. | ` ` |
| `resources.limits.memory` | Specifies the memory limit for Windows Agents. | ` ` |
| `windows.resources.limits.memory` | Specifies the memory limit for Windows Agents. | ` ` |
| `windows.affinity` | Specifies node affinities for Windows Agents. | `{}` |
| `windows.tolerations` | Specifies the tolerations for scheduling of Windows Agents. | <pre>node-role.kubernetes.io/master:NoSchedule,<br>node-role.kubernetes.io/control-plane:NoSchedule</pre> |
22 changes: 22 additions & 0 deletions charts/agent/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -681,3 +681,25 @@ annotations:
- SETUID
- SETGID
{{- end -}}


{{- define "agent.securityContext" -}}
{{- if .Values.customSecurityContext }}
{{- toYaml .Values.customSecurityContext -}}
{{- else if eq "true" (include "agent.privileged" .) }}
privileged: true
runAsNonRoot: false
runAsUser: 0
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
{{- else }}
allowPrivilegeEscalation: false
seccompProfile:
type: Unconfined
capabilities:
drop:
- ALL
add:
{{- include "agent.capabilities" . | nindent 4 }}
{{- end }}
{{- end -}}
17 changes: 1 addition & 16 deletions charts/agent/templates/daemonset.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -174,22 +174,7 @@ spec:
resources:
{{- include "agent.resources" . | nindent 12 }}
securityContext:
{{- if eq "true" (include "agent.privileged" .) }}
privileged: true
runAsNonRoot: false
runAsUser: 0
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
{{- else }}
allowPrivilegeEscalation: false
seccompProfile:
type: Unconfined
capabilities:
drop:
- ALL
add:
{{- include "agent.capabilities" . | nindent 14 }}
{{- end }}
{{- include "agent.securityContext" . | nindent 12 }}
env:
- name: K8S_NODE
valueFrom:
Expand Down
127 changes: 127 additions & 0 deletions charts/agent/tests/security_context_test.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,127 @@
suite: Security Context tests
templates:
- templates/daemonset.yaml
kubernetesProvider:
scheme:
"v1/Node":
gvr:
version: "v1"
resource: "nodes"
namespaced: false
objects:
- apiVersion: v1
kind: Node
metadata:
name: fakenode
status:
nodeInfo:
osImage: fake-os-image
tests:
- it: Ensure the securityContext for a privileged agent is exactly what was defined
set:
privileged: true
asserts:
- equal:
path: spec.template.spec.containers[?(@.name == "sysdig")].securityContext
value:
allowPrivilegeEscalation: true
privileged: true
readOnlyRootFilesystem: false
runAsNonRoot: false
runAsUser: 0

- it: Ensure the securityContext for a non-privileged agent contains the keys defined
set:
ebpf:
enabled: true
kind: universal_ebpf
privileged: false
asserts:
- isSubset:
path: spec.template.spec.containers[?(@.name == "sysdig")].securityContext
content:
allowPrivilegeEscalation: false
seccompProfile:
type: Unconfined
- isNotSubset:
path: spec.template.spec.containers[?(@.name == "sysdig")].securityContext
content:
allowPrivilegeEscalation: false
privileged: true
readOnlyRootFilesystem: false
runAsNonRoot: false
runAsUser: 0

- it: Ensure the customSecurityContext is honored
set:
customSecurityContext:
allowPrivilegeEscalation: true
readOnlyRootFilesystem: false
runAsNonRoot: false
runAsUser: 0
seLinuxOptions:
type: super_t
seccompProfile:
type: Unconfined
capabilities:
add:
- AUDIT_CONTROL
- BLOCK_SUSPEND
- DAC_READ_SEARCH
- IPC_LOCK
- IPC_OWNER
- LEASE
- LINUX_IMMUTABLE
- MAC_ADMIN
- MAC_OVERRIDE
- NET_ADMIN
- NET_BROADCAST
- SYSLOG
- SYS_ADMIN
- SYS_BOOT
- SYS_MODULE
- SYS_NICE
- SYS_PACCT
- SYS_PTRACE
- SYS_RAWIO
- SYS_RESOURCE
- SYS_TIME
- SYS_TTY_CONFIG
- WAKE_ALARM
asserts:
- equal:
path: spec.template.spec.containers[?(@.name == "sysdig")].securityContext
value:
allowPrivilegeEscalation: true
readOnlyRootFilesystem: false
runAsNonRoot: false
runAsUser: 0
seLinuxOptions:
type: super_t
seccompProfile:
type: Unconfined
capabilities:
add:
- AUDIT_CONTROL
- BLOCK_SUSPEND
- DAC_READ_SEARCH
- IPC_LOCK
- IPC_OWNER
- LEASE
- LINUX_IMMUTABLE
- MAC_ADMIN
- MAC_OVERRIDE
- NET_ADMIN
- NET_BROADCAST
- SYSLOG
- SYS_ADMIN
- SYS_BOOT
- SYS_MODULE
- SYS_NICE
- SYS_PACCT
- SYS_PTRACE
- SYS_RAWIO
- SYS_RESOURCE
- SYS_TIME
- SYS_TTY_CONFIG
- WAKE_ALARM
1 change: 1 addition & 0 deletions charts/agent/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -404,3 +404,4 @@ tests:
tag: 1.31.2
# Allow to modify DNS policy
dnsPolicy: null
customSecurityContext: {}
4 changes: 2 additions & 2 deletions charts/sysdig-deploy/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: v2
name: sysdig-deploy
description: A chart with various Sysdig components for Kubernetes
type: application
version: 1.70.0
version: 1.71.0
maintainers:
- name: AlbertoBarba
email: [email protected]
Expand All @@ -26,7 +26,7 @@ dependencies:
- name: agent
# repository: https://charts.sysdig.com
repository: file://../agent
version: ~1.33.0
version: ~1.34.0
alias: agent
condition: agent.enabled
- name: common
Expand Down

0 comments on commit 2f61bf4

Please sign in to comment.