From 3a0cfe7d65fb889b15fecaf354b3ed8fbe00a55c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 3 Jan 2025 10:45:13 +0000 Subject: [PATCH 1/7] chore(deps): bump FairwindsOps/pluto from 5.21.0 to 5.21.1 (#2099) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/k8s-apis-deprecation.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/k8s-apis-deprecation.yml b/.github/workflows/k8s-apis-deprecation.yml index e3f14e8c7..80193cf2f 100644 --- a/.github/workflows/k8s-apis-deprecation.yml +++ b/.github/workflows/k8s-apis-deprecation.yml @@ -39,7 +39,7 @@ jobs: - name: "🛠️ Setup Pluto" # Pluto in the docs suggest to use master but would be better to tag a release version - uses: FairwindsOps/pluto/github-action@v5.21.0 + uses: FairwindsOps/pluto/github-action@v5.21.1 - name: "🔍 Inspecting ${{ matrix.charts_name }} against k8s ${{ matrix.k8s_version }}" id: inspecting From fda744888d283c69a65d883cb4528dc270061c60 Mon Sep 17 00:00:00 2001 From: draios-jenkins Date: Tue, 7 Jan 2025 14:57:45 +0100 Subject: [PATCH 2/7] chore(cluster-shield,sysdig-deploy): Automatic bump to version 1.7.0 (#2101) Co-authored-by: francesco-furlan <10468205+francesco-furlan@users.noreply.github.com> Co-authored-by: Francesco Furlan --- charts/cluster-shield/Chart.yaml | 4 ++-- charts/sysdig-deploy/Chart.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/cluster-shield/Chart.yaml b/charts/cluster-shield/Chart.yaml index 0bdf4d6b3..0e9cb534c 100644 --- a/charts/cluster-shield/Chart.yaml +++ b/charts/cluster-shield/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: cluster-shield description: Cluster Shield Helm Chart for Kubernetes type: application -version: 1.6.0 -appVersion: "1.6.0" +version: 1.7.0 +appVersion: "1.7.0" maintainers: - name: AlbertoBarba email: alberto.barba@sysdig.com diff --git a/charts/sysdig-deploy/Chart.yaml b/charts/sysdig-deploy/Chart.yaml index eda0ebf97..5465f27c9 100644 --- a/charts/sysdig-deploy/Chart.yaml +++ b/charts/sysdig-deploy/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: sysdig-deploy description: A chart with various Sysdig components for Kubernetes type: application -version: 1.72.8 +version: 1.73.0 maintainers: - name: AlbertoBarba email: alberto.barba@sysdig.com @@ -60,6 +60,6 @@ dependencies: - name: cluster-shield # repository: https://charts.sysdig.com repository: file://../cluster-shield - version: ~1.6.0 + version: ~1.7.0 alias: clusterShield condition: clusterShield.enabled From 66f08494a75c328bf6fbb90436ac293a57f9b274 Mon Sep 17 00:00:00 2001 From: draios-jenkins Date: Tue, 7 Jan 2025 13:59:02 +0000 Subject: [PATCH 3/7] github_actions_ci: Update CHANGELOG and RELEASE-NOTES for cluster-shield-1.7.0 --- charts/cluster-shield/CHANGELOG.md | 3 +++ charts/cluster-shield/RELEASE-NOTES.md | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/charts/cluster-shield/CHANGELOG.md b/charts/cluster-shield/CHANGELOG.md index f08188acd..57dc06841 100644 --- a/charts/cluster-shield/CHANGELOG.md +++ b/charts/cluster-shield/CHANGELOG.md @@ -10,6 +10,9 @@ Manual edits are supported only below '## Change Log' and should be used exclusively to fix incorrect entries and not to add new ones. ## Change Log +# v1.7.0 +### Chores +* **cluster-shield,sysdig-deploy** [fda74488](https://github.com/sysdiglabs/charts/commit/fda744888d283c69a65d883cb4528dc270061c60): Automatic bump to version 1.7.0 ([#2101](https://github.com/sysdiglabs/charts/issues/2101)) # v1.6.0 ### Chores * **cluster-shield,sysdig-deploy** [7b050fb3](https://github.com/sysdiglabs/charts/commit/7b050fb38e47d2fdb780ee5870e535bb046fbfc1): bump cluster-shield to version 1.6.0 ([#2073](https://github.com/sysdiglabs/charts/issues/2073)) diff --git a/charts/cluster-shield/RELEASE-NOTES.md b/charts/cluster-shield/RELEASE-NOTES.md index caacccde2..ea92ed2fe 100644 --- a/charts/cluster-shield/RELEASE-NOTES.md +++ b/charts/cluster-shield/RELEASE-NOTES.md @@ -1,5 +1,5 @@ # What's Changed ### Chores -- **cluster-shield,sysdig-deploy** [7b050fb3](https://github.com/sysdiglabs/charts/commit/7b050fb38e47d2fdb780ee5870e535bb046fbfc1): bump cluster-shield to version 1.6.0 ([#2073](https://github.com/sysdiglabs/charts/issues/2073)) -#### Full diff: https://github.com/sysdiglabs/charts/compare/cluster-shield-1.5.1...cluster-shield-1.6.0 +- **cluster-shield,sysdig-deploy** [fda74488](https://github.com/sysdiglabs/charts/commit/fda744888d283c69a65d883cb4528dc270061c60): Automatic bump to version 1.7.0 ([#2101](https://github.com/sysdiglabs/charts/issues/2101)) +#### Full diff: https://github.com/sysdiglabs/charts/compare/cluster-shield-1.6.0...cluster-shield-1.7.0 From 1a8dc2db0ec0db2c2793c079787cf2b1118cfb32 Mon Sep 17 00:00:00 2001 From: draios-jenkins Date: Tue, 7 Jan 2025 13:59:02 +0000 Subject: [PATCH 4/7] github_actions_ci: Update CHANGELOG and RELEASE-NOTES for sysdig-deploy-1.73.0 --- charts/sysdig-deploy/CHANGELOG.md | 3 +++ charts/sysdig-deploy/RELEASE-NOTES.md | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/charts/sysdig-deploy/CHANGELOG.md b/charts/sysdig-deploy/CHANGELOG.md index 9803b2375..d61524e03 100644 --- a/charts/sysdig-deploy/CHANGELOG.md +++ b/charts/sysdig-deploy/CHANGELOG.md @@ -10,6 +10,9 @@ Manual edits are supported only below '## Change Log' and should be used exclusively to fix incorrect entries and not to add new ones. ## Change Log +# v1.73.0 +### Chores +* **cluster-shield,sysdig-deploy** [fda74488](https://github.com/sysdiglabs/charts/commit/fda744888d283c69a65d883cb4528dc270061c60): Automatic bump to version 1.7.0 ([#2101](https://github.com/sysdiglabs/charts/issues/2101)) # v1.72.8 ### Chores * **sysdig-deploy** [c74a8ba4](https://github.com/sysdiglabs/charts/commit/c74a8ba4c6c88b997c444e0bb16b7bfde9942291): Automatic version bump due to updated dependencies ([#2097](https://github.com/sysdiglabs/charts/issues/2097)) diff --git a/charts/sysdig-deploy/RELEASE-NOTES.md b/charts/sysdig-deploy/RELEASE-NOTES.md index 8013eb58d..41028729a 100644 --- a/charts/sysdig-deploy/RELEASE-NOTES.md +++ b/charts/sysdig-deploy/RELEASE-NOTES.md @@ -1,5 +1,5 @@ # What's Changed ### Chores -- **sysdig-deploy** [c74a8ba4](https://github.com/sysdiglabs/charts/commit/c74a8ba4c6c88b997c444e0bb16b7bfde9942291): Automatic version bump due to updated dependencies ([#2097](https://github.com/sysdiglabs/charts/issues/2097)) -#### Full diff: https://github.com/sysdiglabs/charts/compare/sysdig-deploy-1.72.7...sysdig-deploy-1.72.8 +- **cluster-shield,sysdig-deploy** [fda74488](https://github.com/sysdiglabs/charts/commit/fda744888d283c69a65d883cb4528dc270061c60): Automatic bump to version 1.7.0 ([#2101](https://github.com/sysdiglabs/charts/issues/2101)) +#### Full diff: https://github.com/sysdiglabs/charts/compare/sysdig-deploy-1.72.8...sysdig-deploy-1.73.0 From 3dfcf311d7585421ab0f6ad8f3ea36b9912f34c3 Mon Sep 17 00:00:00 2001 From: Gerlando Falauto Date: Wed, 8 Jan 2025 12:46:26 +0100 Subject: [PATCH 5/7] feat(agent): [SMAGENT-8138][SMAGENT-8501] add full securityContext to agent charts (#2102) Update the agent charts so to include a full securityContext. Beware of kubernetes/kubernetes#125012 affecting Windows kubelet. Compared to #2017, just removed the "add: -ALL" part which was breaking some systems like ROKS and probably also Azure, which seemed unnecessary (probably redundant given we have privileged: true). --- charts/agent/Chart.yaml | 2 +- charts/agent/templates/_helpers.tpl | 4 +++ charts/agent/templates/daemonset-windows.yaml | 10 ++++++ charts/agent/templates/daemonset.yaml | 4 +++ charts/agent/templates/deployment.yaml | 4 +++ .../tests/readiness_probe_windows_test.yaml | 3 ++ charts/agent/tests/security_context_test.yaml | 36 +++++++++++++++++++ charts/sysdig-deploy/Chart.yaml | 4 +-- 8 files changed, 64 insertions(+), 3 deletions(-) diff --git a/charts/agent/Chart.yaml b/charts/agent/Chart.yaml index 219c2b039..01eb36d83 100644 --- a/charts/agent/Chart.yaml +++ b/charts/agent/Chart.yaml @@ -30,4 +30,4 @@ sources: - https://app.sysdigcloud.com/#/settings/user - https://github.com/draios/sysdig type: application -version: 1.34.5 +version: 1.34.6 diff --git a/charts/agent/templates/_helpers.tpl b/charts/agent/templates/_helpers.tpl index 3746b159d..bffbd3e09 100644 --- a/charts/agent/templates/_helpers.tpl +++ b/charts/agent/templates/_helpers.tpl @@ -690,8 +690,12 @@ annotations: privileged: true runAsNonRoot: false runAsUser: 0 +runAsGroup: 0 readOnlyRootFilesystem: false allowPrivilegeEscalation: true +capabilities: + drop: + - ALL {{- else }} allowPrivilegeEscalation: false seccompProfile: diff --git a/charts/agent/templates/daemonset-windows.yaml b/charts/agent/templates/daemonset-windows.yaml index 2022217d7..357864cd8 100644 --- a/charts/agent/templates/daemonset-windows.yaml +++ b/charts/agent/templates/daemonset-windows.yaml @@ -30,6 +30,16 @@ spec: {{ toYaml .Values.global.image.pullSecrets | nindent 8 }} {{- end }} securityContext: + privileged: true + {{- if ( semverCompare ">= 1.31.0" (.Capabilities.KubeVersion.GitVersion )) }} + runAsNonRoot: false + runAsGroup: 0 + {{- end }} + readOnlyRootFilesystem: false + allowPrivilegeEscalation: true + capabilities: + add: + - ALL windowsOptions: hostProcess: true runAsUserName: "NT AUTHORITY\\SYSTEM" diff --git a/charts/agent/templates/daemonset.yaml b/charts/agent/templates/daemonset.yaml index 98a65e4b8..a1259ae77 100644 --- a/charts/agent/templates/daemonset.yaml +++ b/charts/agent/templates/daemonset.yaml @@ -78,9 +78,13 @@ spec: securityContext: privileged: true runAsNonRoot: false + runAsGroup: 0 runAsUser: 0 readOnlyRootFilesystem: false allowPrivilegeEscalation: true + capabilities: + drop: + - ALL resources: {{- if (include "agent.gke.autopilot" .) }} {{- $resources := merge .Values.slim.resources (dict "requests" (dict "ephemeral-storage" .Values.gke.ephemeralStorage))}} diff --git a/charts/agent/templates/deployment.yaml b/charts/agent/templates/deployment.yaml index 1d7aee45c..dbb0212e0 100644 --- a/charts/agent/templates/deployment.yaml +++ b/charts/agent/templates/deployment.yaml @@ -69,8 +69,12 @@ spec: privileged: true runAsNonRoot: false runAsUser: 0 + runAsGroup: 0 readOnlyRootFilesystem: false allowPrivilegeEscalation: true + capabilities: + add: + - ALL env: - name: RUN_MODE value: nodriver diff --git a/charts/agent/tests/readiness_probe_windows_test.yaml b/charts/agent/tests/readiness_probe_windows_test.yaml index 0c8af5675..d4d639f24 100644 --- a/charts/agent/tests/readiness_probe_windows_test.yaml +++ b/charts/agent/tests/readiness_probe_windows_test.yaml @@ -19,6 +19,9 @@ kubernetesProvider: tests: - it: "Windows Agent Probes (agent < 1.3.0)" + capabilities: + majorVersion: 1 + minorVersion: 31 set: windows: enabled: true diff --git a/charts/agent/tests/security_context_test.yaml b/charts/agent/tests/security_context_test.yaml index 419c326c4..00c31778a 100644 --- a/charts/agent/tests/security_context_test.yaml +++ b/charts/agent/tests/security_context_test.yaml @@ -29,6 +29,10 @@ tests: readOnlyRootFilesystem: false runAsNonRoot: false runAsUser: 0 + runAsGroup: 0 + capabilities: + drop: + - ALL - it: Ensure the securityContext for a non-privileged agent contains the keys defined set: @@ -125,3 +129,35 @@ tests: - SYS_TIME - SYS_TTY_CONFIG - WAKE_ALARM + + - it: Ensure the securityContext contains the mandatory keys + asserts: + - isSubset: + path: spec.template.spec['initContainers','containers'][:].securityContext.capabilities + content: + drop: + - ALL + - exists: + path: spec.template.spec.initContainers[:].securityContext.runAsNonRoot + - exists: + path: spec.template.spec.containers[:].securityContext.runAsNonRoot + - exists: + path: spec.template.spec.initContainers[:].securityContext.runAsUser + - exists: + path: spec.template.spec.containers[:].securityContext.runAsUser + - exists: + path: spec.template.spec.initContainers[:].securityContext.runAsGroup + - exists: + path: spec.template.spec.containers[:].securityContext.runAsGroup + - exists: + path: spec.template.spec.initContainers[:].securityContext.privileged + - exists: + path: spec.template.spec.containers[:].securityContext.privileged + - exists: + path: spec.template.spec.initContainers[:].securityContext.allowPrivilegeEscalation + - exists: + path: spec.template.spec.containers[:].securityContext.allowPrivilegeEscalation + - exists: + path: spec.template.spec.initContainers[:].securityContext.readOnlyRootFilesystem + - exists: + path: spec.template.spec.containers[:].securityContext.readOnlyRootFilesystem diff --git a/charts/sysdig-deploy/Chart.yaml b/charts/sysdig-deploy/Chart.yaml index 5465f27c9..ffb94ceb6 100644 --- a/charts/sysdig-deploy/Chart.yaml +++ b/charts/sysdig-deploy/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: sysdig-deploy description: A chart with various Sysdig components for Kubernetes type: application -version: 1.73.0 +version: 1.73.1 maintainers: - name: AlbertoBarba email: alberto.barba@sysdig.com @@ -26,7 +26,7 @@ dependencies: - name: agent # repository: https://charts.sysdig.com repository: file://../agent - version: ~1.34.5 + version: ~1.34.6 alias: agent condition: agent.enabled - name: common From 4d5e76ca972ac127e032cb191eb61b3f0d122831 Mon Sep 17 00:00:00 2001 From: draios-jenkins Date: Wed, 8 Jan 2025 11:47:54 +0000 Subject: [PATCH 6/7] github_actions_ci: Update CHANGELOG and RELEASE-NOTES for agent-1.34.6 --- charts/agent/CHANGELOG.md | 3 +++ charts/agent/RELEASE-NOTES.md | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/charts/agent/CHANGELOG.md b/charts/agent/CHANGELOG.md index bb76c5bde..f1a7f5d8b 100644 --- a/charts/agent/CHANGELOG.md +++ b/charts/agent/CHANGELOG.md @@ -10,6 +10,9 @@ Manual edits are supported only below '## Change Log' and should be used exclusively to fix incorrect entries and not to add new ones. ## Change Log +# v1.34.6 +### New Features +* **agent** [3dfcf311](https://github.com/sysdiglabs/charts/commit/3dfcf311d7585421ab0f6ad8f3ea36b9912f34c3): [SMAGENT-8138][SMAGENT-8501] add full securityContext to agent charts ([#2102](https://github.com/sysdiglabs/charts/issues/2102)) # v1.34.5 ### New Features * **agent,shield** [d8414740](https://github.com/sysdiglabs/charts/commit/d8414740491a7fc39ba85b72ad08d4792e94b734): release agent 13.7.1 ([#2094](https://github.com/sysdiglabs/charts/issues/2094)) diff --git a/charts/agent/RELEASE-NOTES.md b/charts/agent/RELEASE-NOTES.md index 85889f470..55df867a4 100644 --- a/charts/agent/RELEASE-NOTES.md +++ b/charts/agent/RELEASE-NOTES.md @@ -1,5 +1,5 @@ # What's Changed ### New Features -- **agent,shield** [d8414740](https://github.com/sysdiglabs/charts/commit/d8414740491a7fc39ba85b72ad08d4792e94b734): release agent 13.7.1 ([#2094](https://github.com/sysdiglabs/charts/issues/2094)) -#### Full diff: https://github.com/sysdiglabs/charts/compare/agent-1.34.4...agent-1.34.5 +- **agent** [3dfcf311](https://github.com/sysdiglabs/charts/commit/3dfcf311d7585421ab0f6ad8f3ea36b9912f34c3): [SMAGENT-8138][SMAGENT-8501] add full securityContext to agent charts ([#2102](https://github.com/sysdiglabs/charts/issues/2102)) +#### Full diff: https://github.com/sysdiglabs/charts/compare/agent-1.34.5...agent-1.34.6 From cd3f77b4ec739b7205686a11776f9552597fc1e5 Mon Sep 17 00:00:00 2001 From: draios-jenkins Date: Wed, 8 Jan 2025 11:47:54 +0000 Subject: [PATCH 7/7] github_actions_ci: Update CHANGELOG and RELEASE-NOTES for sysdig-deploy-1.73.1 --- charts/sysdig-deploy/CHANGELOG.md | 3 +++ charts/sysdig-deploy/RELEASE-NOTES.md | 6 +++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/charts/sysdig-deploy/CHANGELOG.md b/charts/sysdig-deploy/CHANGELOG.md index d61524e03..83af4e364 100644 --- a/charts/sysdig-deploy/CHANGELOG.md +++ b/charts/sysdig-deploy/CHANGELOG.md @@ -10,6 +10,9 @@ Manual edits are supported only below '## Change Log' and should be used exclusively to fix incorrect entries and not to add new ones. ## Change Log +# v1.73.1 +### New Features +* **agent** [3dfcf311](https://github.com/sysdiglabs/charts/commit/3dfcf311d7585421ab0f6ad8f3ea36b9912f34c3): [SMAGENT-8138][SMAGENT-8501] add full securityContext to agent charts ([#2102](https://github.com/sysdiglabs/charts/issues/2102)) # v1.73.0 ### Chores * **cluster-shield,sysdig-deploy** [fda74488](https://github.com/sysdiglabs/charts/commit/fda744888d283c69a65d883cb4528dc270061c60): Automatic bump to version 1.7.0 ([#2101](https://github.com/sysdiglabs/charts/issues/2101)) diff --git a/charts/sysdig-deploy/RELEASE-NOTES.md b/charts/sysdig-deploy/RELEASE-NOTES.md index 41028729a..52d457e61 100644 --- a/charts/sysdig-deploy/RELEASE-NOTES.md +++ b/charts/sysdig-deploy/RELEASE-NOTES.md @@ -1,5 +1,5 @@ # What's Changed -### Chores -- **cluster-shield,sysdig-deploy** [fda74488](https://github.com/sysdiglabs/charts/commit/fda744888d283c69a65d883cb4528dc270061c60): Automatic bump to version 1.7.0 ([#2101](https://github.com/sysdiglabs/charts/issues/2101)) -#### Full diff: https://github.com/sysdiglabs/charts/compare/sysdig-deploy-1.72.8...sysdig-deploy-1.73.0 +### New Features +- **agent** [3dfcf311](https://github.com/sysdiglabs/charts/commit/3dfcf311d7585421ab0f6ad8f3ea36b9912f34c3): [SMAGENT-8138][SMAGENT-8501] add full securityContext to agent charts ([#2102](https://github.com/sysdiglabs/charts/issues/2102)) +#### Full diff: https://github.com/sysdiglabs/charts/compare/sysdig-deploy-1.73.0...sysdig-deploy-1.73.1