diff --git a/charts/agent/Chart.yaml b/charts/agent/Chart.yaml index aa9d67a4d..370f5ac61 100644 --- a/charts/agent/Chart.yaml +++ b/charts/agent/Chart.yaml @@ -30,4 +30,4 @@ sources: - https://app.sysdigcloud.com/#/settings/user - https://github.com/draios/sysdig type: application -version: 1.33.0 +version: 1.34.0 diff --git a/charts/agent/README.md b/charts/agent/README.md index c1b175875..a14e0d8f3 100644 --- a/charts/agent/README.md +++ b/charts/agent/README.md @@ -173,6 +173,7 @@ The following table lists the configurable parameters of the Sysdig chart and th | `extraVolumes.volumes` | Specifies the additional volumes to mount in the sysdig agent to pass new secrets or configmaps | `[]` | | `extraVolumes.mounts` | Specifies the mount points for additional volumes | `[]` | | `extraSecrets` | Allows passing extra secrets that can be mounted via extraVolumes | `[]` | +| `customSecurityContext` | Allows overriding the Security Context of the Agent pod(s). Primarily intended resolving targeted incidents and debugging. | `[]` | | `proxy.httpProxy` | Sets `http_proxy` on the agent container. Overrides the proxy setting from `global.proxy`. | `""` | | `proxy.httpsProxy` | Sets `https_proxy` on the agent container. Overrides the proxy setting from `global.proxy`. | `""` | | `proxy.noProxy` | Sets `no_proxy` on the agent container. Overrides the proxy setting from `global.proxy`. | `""` | @@ -187,6 +188,6 @@ The following table lists the configurable parameters of the Sysdig chart and th | `windows.resources.requests.cpu` | Specifies the CPU requested to run in a Windows node. | ` ` | | `windows.resources.requests.memory` | Specifies the memory requested to run in a Windows node. | ` ` | | `windows.resources.limits.cpu` | Specifies the CPU limit for Windows Agents. | ` ` | -| `resources.limits.memory` | Specifies the memory limit for Windows Agents. | ` ` | +| `windows.resources.limits.memory` | Specifies the memory limit for Windows Agents. | ` ` | | `windows.affinity` | Specifies node affinities for Windows Agents. | `{}` | | `windows.tolerations` | Specifies the tolerations for scheduling of Windows Agents. | 
node-role.kubernetes.io/master:NoSchedule,
node-role.kubernetes.io/control-plane:NoSchedule
| diff --git a/charts/agent/templates/_helpers.tpl b/charts/agent/templates/_helpers.tpl index ebbe82984..3746b159d 100644 --- a/charts/agent/templates/_helpers.tpl +++ b/charts/agent/templates/_helpers.tpl @@ -681,3 +681,25 @@ annotations: - SETUID - SETGID {{- end -}} + + +{{- define "agent.securityContext" -}} +{{- if .Values.customSecurityContext }} + {{- toYaml .Values.customSecurityContext -}} +{{- else if eq "true" (include "agent.privileged" .) }} +privileged: true +runAsNonRoot: false +runAsUser: 0 +readOnlyRootFilesystem: false +allowPrivilegeEscalation: true +{{- else }} +allowPrivilegeEscalation: false +seccompProfile: + type: Unconfined +capabilities: + drop: + - ALL + add: + {{- include "agent.capabilities" . | nindent 4 }} +{{- end }} +{{- end -}} diff --git a/charts/agent/templates/daemonset.yaml b/charts/agent/templates/daemonset.yaml index 2df721392..98a65e4b8 100644 --- a/charts/agent/templates/daemonset.yaml +++ b/charts/agent/templates/daemonset.yaml @@ -174,22 +174,7 @@ spec: resources: {{- include "agent.resources" . | nindent 12 }} securityContext: - {{- if eq "true" (include "agent.privileged" .) }} - privileged: true - runAsNonRoot: false - runAsUser: 0 - readOnlyRootFilesystem: false - allowPrivilegeEscalation: true - {{- else }} - allowPrivilegeEscalation: false - seccompProfile: - type: Unconfined - capabilities: - drop: - - ALL - add: - {{- include "agent.capabilities" . | nindent 14 }} - {{- end }} + {{- include "agent.securityContext" . | nindent 12 }} env: - name: K8S_NODE valueFrom: diff --git a/charts/agent/tests/security_context_test.yaml b/charts/agent/tests/security_context_test.yaml new file mode 100644 index 000000000..419c326c4 --- /dev/null +++ b/charts/agent/tests/security_context_test.yaml @@ -0,0 +1,127 @@ +suite: Security Context tests +templates: + - templates/daemonset.yaml +kubernetesProvider: + scheme: + "v1/Node": + gvr: + version: "v1" + resource: "nodes" + namespaced: false + objects: + - apiVersion: v1 + kind: Node + metadata: + name: fakenode + status: + nodeInfo: + osImage: fake-os-image +tests: + - it: Ensure the securityContext for a privileged agent is exactly what was defined + set: + privileged: true + asserts: + - equal: + path: spec.template.spec.containers[?(@.name == "sysdig")].securityContext + value: + allowPrivilegeEscalation: true + privileged: true + readOnlyRootFilesystem: false + runAsNonRoot: false + runAsUser: 0 + + - it: Ensure the securityContext for a non-privileged agent contains the keys defined + set: + ebpf: + enabled: true + kind: universal_ebpf + privileged: false + asserts: + - isSubset: + path: spec.template.spec.containers[?(@.name == "sysdig")].securityContext + content: + allowPrivilegeEscalation: false + seccompProfile: + type: Unconfined + - isNotSubset: + path: spec.template.spec.containers[?(@.name == "sysdig")].securityContext + content: + allowPrivilegeEscalation: false + privileged: true + readOnlyRootFilesystem: false + runAsNonRoot: false + runAsUser: 0 + + - it: Ensure the customSecurityContext is honored + set: + customSecurityContext: + allowPrivilegeEscalation: true + readOnlyRootFilesystem: false + runAsNonRoot: false + runAsUser: 0 + seLinuxOptions: + type: super_t + seccompProfile: + type: Unconfined + capabilities: + add: + - AUDIT_CONTROL + - BLOCK_SUSPEND + - DAC_READ_SEARCH + - IPC_LOCK + - IPC_OWNER + - LEASE + - LINUX_IMMUTABLE + - MAC_ADMIN + - MAC_OVERRIDE + - NET_ADMIN + - NET_BROADCAST + - SYSLOG + - SYS_ADMIN + - SYS_BOOT + - SYS_MODULE + - SYS_NICE + - SYS_PACCT + - SYS_PTRACE + - SYS_RAWIO + - SYS_RESOURCE + - SYS_TIME + - SYS_TTY_CONFIG + - WAKE_ALARM + asserts: + - equal: + path: spec.template.spec.containers[?(@.name == "sysdig")].securityContext + value: + allowPrivilegeEscalation: true + readOnlyRootFilesystem: false + runAsNonRoot: false + runAsUser: 0 + seLinuxOptions: + type: super_t + seccompProfile: + type: Unconfined + capabilities: + add: + - AUDIT_CONTROL + - BLOCK_SUSPEND + - DAC_READ_SEARCH + - IPC_LOCK + - IPC_OWNER + - LEASE + - LINUX_IMMUTABLE + - MAC_ADMIN + - MAC_OVERRIDE + - NET_ADMIN + - NET_BROADCAST + - SYSLOG + - SYS_ADMIN + - SYS_BOOT + - SYS_MODULE + - SYS_NICE + - SYS_PACCT + - SYS_PTRACE + - SYS_RAWIO + - SYS_RESOURCE + - SYS_TIME + - SYS_TTY_CONFIG + - WAKE_ALARM diff --git a/charts/agent/values.yaml b/charts/agent/values.yaml index 90fe4b77f..c046494ee 100644 --- a/charts/agent/values.yaml +++ b/charts/agent/values.yaml @@ -404,3 +404,4 @@ tests: tag: 1.31.2 # Allow to modify DNS policy dnsPolicy: null +customSecurityContext: {} diff --git a/charts/sysdig-deploy/Chart.yaml b/charts/sysdig-deploy/Chart.yaml index 7a76d04da..fd171a5c8 100644 --- a/charts/sysdig-deploy/Chart.yaml +++ b/charts/sysdig-deploy/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: sysdig-deploy description: A chart with various Sysdig components for Kubernetes type: application -version: 1.70.0 +version: 1.71.0 maintainers: - name: AlbertoBarba email: alberto.barba@sysdig.com @@ -26,7 +26,7 @@ dependencies: - name: agent # repository: https://charts.sysdig.com repository: file://../agent - version: ~1.33.0 + version: ~1.34.0 alias: agent condition: agent.enabled - name: common