feat(shield): [SMAGENT-8138] add full securityContext to host-shield chart

charts/shield/Chart.yaml

@@ -13,5 +13,5 @@ maintainers:
   - name: mavimo
     email: [email protected]
 type: application
-version: 0.6.2
+version: 0.6.3
 appVersion: "1.0.0"

charts/shield/templates/host/_helpers.tpl

@@ -156,8 +156,12 @@ true
 privileged: true
 runAsNonRoot: false
 runAsUser: 0
+runAsGroup: 0
 readOnlyRootFilesystem: false
 allowPrivilegeEscalation: true
+capabilities:
+  drop:
+    - ALL
 {{- else }}
 allowPrivilegeEscalation: false
 seccompProfile:

charts/shield/templates/host/daemonset.yaml

@@ -44,9 +44,13 @@ spec:
           securityContext:
             privileged: true
             runAsNonRoot: false
+            runAsGroup: 0
             runAsUser: 0
             readOnlyRootFilesystem: false
             allowPrivilegeEscalation: true
+            capabilities:
+              drop:
+                - ALL
           resources:
             {{- (include "host.kmodule_resources" .) | nindent 12 }}
           env:

charts/shield/tests/host/security_context_test.yaml

@@ -30,6 +30,10 @@ tests:
             readOnlyRootFilesystem: false
             runAsNonRoot: false
             runAsUser: 0
+            runAsGroup: 0
+            capabilities:
+              drop:
+                - ALL
 
   - it: Ensure the securityContext for a non-privileged agent contains the keys defined
     set:
@@ -126,3 +130,34 @@ tests:
                 - SYS_TIME
                 - SYS_TTY_CONFIG
                 - WAKE_ALARM
+  - it: Ensure the securityContext contains the mandatory keys
+    asserts:
+      - isSubset:
+          path: spec.template.spec['initContainers','containers'][:].securityContext.capabilities
+          content:
+            drop:
+              - ALL
+      - exists:
+          path: spec.template.spec.initContainers[:].securityContext.runAsNonRoot
+      - exists:
+          path: spec.template.spec.containers[:].securityContext.runAsNonRoot
+      - exists:
+          path: spec.template.spec.initContainers[:].securityContext.runAsUser
+      - exists:
+          path: spec.template.spec.containers[:].securityContext.runAsUser
+      - exists:
+          path: spec.template.spec.initContainers[:].securityContext.runAsGroup
+      - exists:
+          path: spec.template.spec.containers[:].securityContext.runAsGroup
+      - exists:
+          path: spec.template.spec.initContainers[:].securityContext.privileged
+      - exists:
+          path: spec.template.spec.containers[:].securityContext.privileged
+      - exists:
+          path: spec.template.spec.initContainers[:].securityContext.allowPrivilegeEscalation
+      - exists:
+          path: spec.template.spec.containers[:].securityContext.allowPrivilegeEscalation
+      - exists:
+          path: spec.template.spec.initContainers[:].securityContext.readOnlyRootFilesystem
+      - exists:
+          path: spec.template.spec.containers[:].securityContext.readOnlyRootFilesystem