Merge branch 'main' into paolo-responder-ca

.github/workflows/k8s-apis-deprecation.yml

@@ -39,7 +39,7 @@ jobs:
 
       - name: "🛠️ Setup Pluto"
         # Pluto in the docs suggest to use master but would be better to tag a release version
-        uses: FairwindsOps/pluto/[email protected].0
+        uses: FairwindsOps/pluto/[email protected].1
 
       - name: "🔍 Inspecting ${{ matrix.charts_name }} against k8s ${{ matrix.k8s_version }}"
         id: inspecting

charts/agent/CHANGELOG.md

@@ -10,6 +10,9 @@ Manual edits are supported only below '## Change Log' and should be used
 exclusively to fix incorrect entries and not to add new ones.
 
 ## Change Log
+# v1.34.6
+### New Features
+* **agent** [3dfcf311](https://github.com/sysdiglabs/charts/commit/3dfcf311d7585421ab0f6ad8f3ea36b9912f34c3): [SMAGENT-8138][SMAGENT-8501] add full securityContext to agent charts ([#2102](https://github.com/sysdiglabs/charts/issues/2102))
 # v1.34.5
 ### New Features
 * **agent,shield** [d8414740](https://github.com/sysdiglabs/charts/commit/d8414740491a7fc39ba85b72ad08d4792e94b734): release agent 13.7.1 ([#2094](https://github.com/sysdiglabs/charts/issues/2094))

charts/agent/RELEASE-NOTES.md

@@ -1,5 +1,5 @@
 # What's Changed
 
 ### New Features
-- **agent,shield** [d8414740](https://github.com/sysdiglabs/charts/commit/d8414740491a7fc39ba85b72ad08d4792e94b734): release agent 13.7.1 ([#2094](https://github.com/sysdiglabs/charts/issues/2094))
-#### Full diff: https://github.com/sysdiglabs/charts/compare/agent-1.34.4...agent-1.34.5
+- **agent** [3dfcf311](https://github.com/sysdiglabs/charts/commit/3dfcf311d7585421ab0f6ad8f3ea36b9912f34c3): [SMAGENT-8138][SMAGENT-8501] add full securityContext to agent charts ([#2102](https://github.com/sysdiglabs/charts/issues/2102))
+#### Full diff: https://github.com/sysdiglabs/charts/compare/agent-1.34.5...agent-1.34.6

charts/agent/templates/_helpers.tpl

@@ -703,8 +703,12 @@ annotations:
 privileged: true
 runAsNonRoot: false
 runAsUser: 0
+runAsGroup: 0
 readOnlyRootFilesystem: false
 allowPrivilegeEscalation: true
+capabilities:
+  drop:
+    - ALL
 {{- else }}
 allowPrivilegeEscalation: false
 seccompProfile:

charts/agent/templates/daemonset-windows.yaml

@@ -30,6 +30,16 @@ spec:
         {{ toYaml .Values.global.image.pullSecrets | nindent 8 }}
       {{- end }}
       securityContext:
+        privileged: true
+        {{- if ( semverCompare ">= 1.31.0" (.Capabilities.KubeVersion.GitVersion )) }}
+        runAsNonRoot: false
+        runAsGroup: 0
+        {{- end }}
+        readOnlyRootFilesystem: false
+        allowPrivilegeEscalation: true
+        capabilities:
+          add:
+            - ALL
         windowsOptions:
           hostProcess: true
           runAsUserName: "NT AUTHORITY\\SYSTEM"

charts/agent/templates/daemonset.yaml

@@ -78,9 +78,13 @@ spec:
           securityContext:
             privileged: true
             runAsNonRoot: false
+            runAsGroup: 0
             runAsUser: 0
             readOnlyRootFilesystem: false
             allowPrivilegeEscalation: true
+            capabilities:
+              drop:
+                - ALL
           resources:
             {{- if (include "agent.gke.autopilot" .) }}
               {{- $resources := merge .Values.slim.resources (dict "requests" (dict "ephemeral-storage" .Values.gke.ephemeralStorage))}}

charts/agent/templates/deployment.yaml

@@ -69,8 +69,12 @@ spec:
             privileged: true
             runAsNonRoot: false
             runAsUser: 0
+            runAsGroup: 0
             readOnlyRootFilesystem: false
             allowPrivilegeEscalation: true
+            capabilities:
+              add:
+                - ALL
           env:
           - name: RUN_MODE
             value: nodriver

charts/agent/tests/readiness_probe_windows_test.yaml

@@ -19,6 +19,9 @@ kubernetesProvider:
 tests:
 
   - it: "Windows Agent Probes (agent < 1.3.0)"
+    capabilities:
+      majorVersion: 1
+      minorVersion: 31
     set:
       windows:
         enabled: true

charts/agent/tests/security_context_test.yaml

@@ -29,6 +29,10 @@ tests:
             readOnlyRootFilesystem: false
             runAsNonRoot: false
             runAsUser: 0
+            runAsGroup: 0
+            capabilities:
+              drop:
+                - ALL
 
   - it: Ensure the securityContext for a non-privileged agent contains the keys defined
     set:
@@ -125,3 +129,35 @@ tests:
                 - SYS_TIME
                 - SYS_TTY_CONFIG
                 - WAKE_ALARM
+
+  - it: Ensure the securityContext contains the mandatory keys
+    asserts:
+      - isSubset:
+          path: spec.template.spec['initContainers','containers'][:].securityContext.capabilities
+          content:
+            drop:
+              - ALL
+      - exists:
+          path: spec.template.spec.initContainers[:].securityContext.runAsNonRoot
+      - exists:
+          path: spec.template.spec.containers[:].securityContext.runAsNonRoot
+      - exists:
+          path: spec.template.spec.initContainers[:].securityContext.runAsUser
+      - exists:
+          path: spec.template.spec.containers[:].securityContext.runAsUser
+      - exists:
+          path: spec.template.spec.initContainers[:].securityContext.runAsGroup
+      - exists:
+          path: spec.template.spec.containers[:].securityContext.runAsGroup
+      - exists:
+          path: spec.template.spec.initContainers[:].securityContext.privileged
+      - exists:
+          path: spec.template.spec.containers[:].securityContext.privileged
+      - exists:
+          path: spec.template.spec.initContainers[:].securityContext.allowPrivilegeEscalation
+      - exists:
+          path: spec.template.spec.containers[:].securityContext.allowPrivilegeEscalation
+      - exists:
+          path: spec.template.spec.initContainers[:].securityContext.readOnlyRootFilesystem
+      - exists:
+          path: spec.template.spec.containers[:].securityContext.readOnlyRootFilesystem

charts/cluster-shield/CHANGELOG.md

@@ -10,6 +10,9 @@ Manual edits are supported only below '## Change Log' and should be used
 exclusively to fix incorrect entries and not to add new ones.
 
 ## Change Log
+# v1.7.0
+### Chores
+* **cluster-shield,sysdig-deploy** [fda74488](https://github.com/sysdiglabs/charts/commit/fda744888d283c69a65d883cb4528dc270061c60): Automatic bump to version 1.7.0 ([#2101](https://github.com/sysdiglabs/charts/issues/2101))
 # v1.6.0
 ### Chores
 * **cluster-shield,sysdig-deploy** [7b050fb3](https://github.com/sysdiglabs/charts/commit/7b050fb38e47d2fdb780ee5870e535bb046fbfc1): bump cluster-shield to version 1.6.0 ([#2073](https://github.com/sysdiglabs/charts/issues/2073))

charts/cluster-shield/Chart.yaml

@@ -2,8 +2,8 @@ apiVersion: v2
 name: cluster-shield
 description: Cluster Shield Helm Chart for Kubernetes
 type: application
-version: 1.6.0
-appVersion: "1.6.0"
+version: 1.7.0
+appVersion: "1.7.0"
 maintainers:
   - name: AlbertoBarba
     email: [email protected]

charts/cluster-shield/RELEASE-NOTES.md

@@ -1,5 +1,5 @@
 # What's Changed
 
 ### Chores
-- **cluster-shield,sysdig-deploy** [7b050fb3](https://github.com/sysdiglabs/charts/commit/7b050fb38e47d2fdb780ee5870e535bb046fbfc1): bump cluster-shield to version 1.6.0 ([#2073](https://github.com/sysdiglabs/charts/issues/2073))
-#### Full diff: https://github.com/sysdiglabs/charts/compare/cluster-shield-1.5.1...cluster-shield-1.6.0
+- **cluster-shield,sysdig-deploy** [fda74488](https://github.com/sysdiglabs/charts/commit/fda744888d283c69a65d883cb4528dc270061c60): Automatic bump to version 1.7.0 ([#2101](https://github.com/sysdiglabs/charts/issues/2101))
+#### Full diff: https://github.com/sysdiglabs/charts/compare/cluster-shield-1.6.0...cluster-shield-1.7.0

charts/sysdig-deploy/CHANGELOG.md

@@ -10,6 +10,12 @@ Manual edits are supported only below '## Change Log' and should be used
 exclusively to fix incorrect entries and not to add new ones.
 
 ## Change Log
+# v1.73.1
+### New Features
+* **agent** [3dfcf311](https://github.com/sysdiglabs/charts/commit/3dfcf311d7585421ab0f6ad8f3ea36b9912f34c3): [SMAGENT-8138][SMAGENT-8501] add full securityContext to agent charts ([#2102](https://github.com/sysdiglabs/charts/issues/2102))
+# v1.73.0
+### Chores
+* **cluster-shield,sysdig-deploy** [fda74488](https://github.com/sysdiglabs/charts/commit/fda744888d283c69a65d883cb4528dc270061c60): Automatic bump to version 1.7.0 ([#2101](https://github.com/sysdiglabs/charts/issues/2101))
 # v1.72.8
 ### Chores
 * **sysdig-deploy** [c74a8ba4](https://github.com/sysdiglabs/charts/commit/c74a8ba4c6c88b997c444e0bb16b7bfde9942291): Automatic version bump due to updated dependencies ([#2097](https://github.com/sysdiglabs/charts/issues/2097))

charts/sysdig-deploy/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: sysdig-deploy
 description: A chart with various Sysdig components for Kubernetes
 type: application
-version: 1.73.0
+version: 1.73.2
 maintainers:
   - name: AlbertoBarba
     email: [email protected]
@@ -60,6 +60,6 @@ dependencies:
   - name: cluster-shield
     # repository: https://charts.sysdig.com
     repository: file://../cluster-shield
-    version: ~1.6.0
+    version: ~1.7.0
     alias: clusterShield
     condition: clusterShield.enabled

charts/sysdig-deploy/RELEASE-NOTES.md

@@ -1,5 +1,5 @@
 # What's Changed
 
-### Chores
-- **sysdig-deploy** [c74a8ba4](https://github.com/sysdiglabs/charts/commit/c74a8ba4c6c88b997c444e0bb16b7bfde9942291): Automatic version bump due to updated dependencies ([#2097](https://github.com/sysdiglabs/charts/issues/2097))
-#### Full diff: https://github.com/sysdiglabs/charts/compare/sysdig-deploy-1.72.7...sysdig-deploy-1.72.8
+### New Features
+- **agent** [3dfcf311](https://github.com/sysdiglabs/charts/commit/3dfcf311d7585421ab0f6ad8f3ea36b9912f34c3): [SMAGENT-8138][SMAGENT-8501] add full securityContext to agent charts ([#2102](https://github.com/sysdiglabs/charts/issues/2102))
+#### Full diff: https://github.com/sysdiglabs/charts/compare/sysdig-deploy-1.73.0...sysdig-deploy-1.73.1