feat(shield): [SMAGENT-8138] add full securityContext to host-shield …

…chart Update the host-shield chart so to include a full securityContext. This is the equivalent of #2102.
sysdiglabs · Jan 15, 2025 · 6ac5bfd · 6ac5bfd
1 parent 46850fe
commit 6ac5bfd
Show file tree

Hide file tree

Showing 4 changed files with 44 additions and 1 deletion.
diff --git a/charts/shield/Chart.yaml b/charts/shield/Chart.yaml
@@ -13,5 +13,5 @@ maintainers:
   - name: mavimo
     email: [email protected]
 type: application
-version: 0.6.1
+version: 0.6.2
 appVersion: "1.0.0"
diff --git a/charts/shield/templates/host/_helpers.tpl b/charts/shield/templates/host/_helpers.tpl
@@ -156,8 +156,12 @@ true
 privileged: true
 runAsNonRoot: false
 runAsUser: 0
+runAsGroup: 0
 readOnlyRootFilesystem: false
 allowPrivilegeEscalation: true
+capabilities:
+  drop:
+    - ALL
 {{- else }}
 allowPrivilegeEscalation: false
 seccompProfile:

diff --git a/charts/shield/templates/host/daemonset.yaml b/charts/shield/templates/host/daemonset.yaml
@@ -44,9 +44,13 @@ spec:
           securityContext:
             privileged: true
             runAsNonRoot: false
+            runAsGroup: 0
             runAsUser: 0
             readOnlyRootFilesystem: false
             allowPrivilegeEscalation: true
+            capabilities:
+              drop:
+                - ALL
           resources:
             {{- (include "host.kmodule_resources" .) | nindent 12 }}
           env:

diff --git a/charts/shield/tests/host/security_context_test.yaml b/charts/shield/tests/host/security_context_test.yaml
@@ -30,6 +30,10 @@ tests:
             readOnlyRootFilesystem: false
             runAsNonRoot: false
             runAsUser: 0
+            runAsGroup: 0
+            capabilities:
+              drop:
+                - ALL
 
   - it: Ensure the securityContext for a non-privileged agent contains the keys defined
     set:
@@ -126,3 +130,34 @@ tests:
                 - SYS_TIME
                 - SYS_TTY_CONFIG
                 - WAKE_ALARM
+  - it: Ensure the securityContext contains the mandatory keys
+    asserts:
+      - isSubset:
+          path: spec.template.spec['initContainers','containers'][:].securityContext.capabilities
+          content:
+            drop:
+              - ALL
+      - exists:
+          path: spec.template.spec.initContainers[:].securityContext.runAsNonRoot
+      - exists:
+          path: spec.template.spec.containers[:].securityContext.runAsNonRoot
+      - exists:
+          path: spec.template.spec.initContainers[:].securityContext.runAsUser
+      - exists:
+          path: spec.template.spec.containers[:].securityContext.runAsUser
+      - exists:
+          path: spec.template.spec.initContainers[:].securityContext.runAsGroup
+      - exists:
+          path: spec.template.spec.containers[:].securityContext.runAsGroup
+      - exists:
+          path: spec.template.spec.initContainers[:].securityContext.privileged
+      - exists:
+          path: spec.template.spec.containers[:].securityContext.privileged
+      - exists:
+          path: spec.template.spec.initContainers[:].securityContext.allowPrivilegeEscalation
+      - exists:
+          path: spec.template.spec.containers[:].securityContext.allowPrivilegeEscalation
+      - exists:
+          path: spec.template.spec.initContainers[:].securityContext.readOnlyRootFilesystem
+      - exists:
+          path: spec.template.spec.containers[:].securityContext.readOnlyRootFilesystem