Merge branch 'main' into SMAGENT-8408-extra-capabilities

sysdiglabs · Dec 19, 2024 · 37789c6 · 37789c6
2 parents a24b752 + f1165b8
commit 37789c6
Show file tree

Hide file tree

Showing 12 changed files with 13 additions and 74 deletions.
diff --git a/charts/agent/CHANGELOG.md b/charts/agent/CHANGELOG.md
@@ -10,6 +10,9 @@ Manual edits are supported only below '## Change Log' and should be used
 exclusively to fix incorrect entries and not to add new ones.
 
 ## Change Log
+# v1.34.2
+### New Features
+* **agent** [a65d52c3](https://github.com/sysdiglabs/charts/commit/a65d52c363277573f7c6b70dab172e065c38f59f): REVERT [SMAGENT-8138] add full securityContext to agent charts ([#2084](https://github.com/sysdiglabs/charts/issues/2084))
 # v1.34.1
 ### New Features
 * **agent** [550c06fa](https://github.com/sysdiglabs/charts/commit/550c06fad7140b7e98d6063ba61337be4341498a): [SMAGENT-8138] add full securityContext to agent charts ([#2017](https://github.com/sysdiglabs/charts/issues/2017))

diff --git a/charts/agent/Chart.yaml b/charts/agent/Chart.yaml
@@ -30,4 +30,4 @@ sources:
 - https://app.sysdigcloud.com/#/settings/user
 - https://github.com/draios/sysdig
 type: application
-version: 1.34.1
+version: 1.34.2
diff --git a/charts/agent/RELEASE-NOTES.md b/charts/agent/RELEASE-NOTES.md
@@ -1,5 +1,5 @@
 # What's Changed
 
 ### New Features
-- **agent** [550c06fa](https://github.com/sysdiglabs/charts/commit/550c06fad7140b7e98d6063ba61337be4341498a): [SMAGENT-8138] add full securityContext to agent charts ([#2017](https://github.com/sysdiglabs/charts/issues/2017))
-#### Full diff: https://github.com/sysdiglabs/charts/compare/agent-1.34.0...agent-1.34.1
+- **agent** [a65d52c3](https://github.com/sysdiglabs/charts/commit/a65d52c363277573f7c6b70dab172e065c38f59f): REVERT [SMAGENT-8138] add full securityContext to agent charts ([#2084](https://github.com/sysdiglabs/charts/issues/2084))
+#### Full diff: https://github.com/sysdiglabs/charts/compare/agent-1.34.1...agent-1.34.2
diff --git a/charts/agent/templates/_helpers.tpl b/charts/agent/templates/_helpers.tpl
@@ -690,14 +690,8 @@ annotations:
 privileged: true
 runAsNonRoot: false
 runAsUser: 0
-runAsGroup: 0
 readOnlyRootFilesystem: false
 allowPrivilegeEscalation: true
-capabilities:
-  drop:
-    - ALL
-  add:
-    - ALL
 {{- else }}
 allowPrivilegeEscalation: false
 seccompProfile:

diff --git a/charts/agent/templates/daemonset-windows.yaml b/charts/agent/templates/daemonset-windows.yaml
@@ -30,16 +30,6 @@ spec:
         {{ toYaml .Values.global.image.pullSecrets | nindent 8 }}
       {{- end }}
       securityContext:
-        privileged: true
-        {{- if ( semverCompare ">= 1.31.0" (.Capabilities.KubeVersion.GitVersion )) }}
-        runAsNonRoot: false
-        runAsGroup: 0
-        {{- end }}
-        readOnlyRootFilesystem: false
-        allowPrivilegeEscalation: true
-        capabilities:
-          add:
-            - ALL
         windowsOptions:
           hostProcess: true
           runAsUserName: "NT AUTHORITY\\SYSTEM"

diff --git a/charts/agent/templates/daemonset.yaml b/charts/agent/templates/daemonset.yaml
@@ -78,15 +78,9 @@ spec:
           securityContext:
             privileged: true
             runAsNonRoot: false
-            runAsGroup: 0
             runAsUser: 0
             readOnlyRootFilesystem: false
             allowPrivilegeEscalation: true
-            capabilities:
-              drop:
-                - ALL
-              add:
-                - ALL
           resources:
             {{- if (include "agent.gke.autopilot" .) }}
               {{- $resources := merge .Values.slim.resources (dict "requests" (dict "ephemeral-storage" .Values.gke.ephemeralStorage))}}

diff --git a/charts/agent/templates/deployment.yaml b/charts/agent/templates/deployment.yaml
@@ -69,12 +69,8 @@ spec:
             privileged: true
             runAsNonRoot: false
             runAsUser: 0
-            runAsGroup: 0
             readOnlyRootFilesystem: false
             allowPrivilegeEscalation: true
-            capabilities:
-              add:
-                - ALL
           env:
           - name: RUN_MODE
             value: nodriver

diff --git a/charts/agent/tests/readiness_probe_windows_test.yaml b/charts/agent/tests/readiness_probe_windows_test.yaml
@@ -19,9 +19,6 @@ kubernetesProvider:
 tests:
 
   - it: "Windows Agent Probes (agent < 1.3.0)"
-    capabilities:
-      majorVersion: 1
-      minorVersion: 31
     set:
       windows:
         enabled: true

diff --git a/charts/agent/tests/security_context_test.yaml b/charts/agent/tests/security_context_test.yaml
@@ -29,12 +29,6 @@ tests:
             readOnlyRootFilesystem: false
             runAsNonRoot: false
             runAsUser: 0
-            runAsGroup: 0
-            capabilities:
-              drop:
-                - ALL
-              add:
-                - ALL
 
   - it: Ensure the securityContext for a non-privileged agent contains the keys defined
     set:
@@ -131,35 +125,3 @@ tests:
                 - SYS_TIME
                 - SYS_TTY_CONFIG
                 - WAKE_ALARM
-
-  - it: Ensure the securityContext contains the mandatory keys
-    asserts:
-      - isSubset:
-          path: spec.template.spec['initContainers','containers'][:].securityContext.capabilities
-          content:
-            drop:
-              - ALL
-      - exists:
-          path: spec.template.spec.initContainers[:].securityContext.runAsNonRoot
-      - exists:
-          path: spec.template.spec.containers[:].securityContext.runAsNonRoot
-      - exists:
-          path: spec.template.spec.initContainers[:].securityContext.runAsUser
-      - exists:
-          path: spec.template.spec.containers[:].securityContext.runAsUser
-      - exists:
-          path: spec.template.spec.initContainers[:].securityContext.runAsGroup
-      - exists:
-          path: spec.template.spec.containers[:].securityContext.runAsGroup
-      - exists:
-          path: spec.template.spec.initContainers[:].securityContext.privileged
-      - exists:
-          path: spec.template.spec.containers[:].securityContext.privileged
-      - exists:
-          path: spec.template.spec.initContainers[:].securityContext.allowPrivilegeEscalation
-      - exists:
-          path: spec.template.spec.containers[:].securityContext.allowPrivilegeEscalation
-      - exists:
-          path: spec.template.spec.initContainers[:].securityContext.readOnlyRootFilesystem
-      - exists:
-          path: spec.template.spec.containers[:].securityContext.readOnlyRootFilesystem
diff --git a/charts/sysdig-deploy/CHANGELOG.md b/charts/sysdig-deploy/CHANGELOG.md
@@ -10,6 +10,9 @@ Manual edits are supported only below '## Change Log' and should be used
 exclusively to fix incorrect entries and not to add new ones.
 
 ## Change Log
+# v1.72.4
+### New Features
+* **agent** [a65d52c3](https://github.com/sysdiglabs/charts/commit/a65d52c363277573f7c6b70dab172e065c38f59f): REVERT [SMAGENT-8138] add full securityContext to agent charts ([#2084](https://github.com/sysdiglabs/charts/issues/2084))
 # v1.72.3
 ### New Features
 * **agent** [550c06fa](https://github.com/sysdiglabs/charts/commit/550c06fad7140b7e98d6063ba61337be4341498a): [SMAGENT-8138] add full securityContext to agent charts ([#2017](https://github.com/sysdiglabs/charts/issues/2017))

diff --git a/charts/sysdig-deploy/Chart.yaml b/charts/sysdig-deploy/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: sysdig-deploy
 description: A chart with various Sysdig components for Kubernetes
 type: application
-version: 1.72.3
+version: 1.72.4
 maintainers:
   - name: AlbertoBarba
     email: [email protected]
@@ -26,7 +26,7 @@ dependencies:
   - name: agent
     # repository: https://charts.sysdig.com
     repository: file://../agent
-    version: ~1.34.1
+    version: ~1.34.2
     alias: agent
     condition: agent.enabled
   - name: common

diff --git a/charts/sysdig-deploy/RELEASE-NOTES.md b/charts/sysdig-deploy/RELEASE-NOTES.md
@@ -1,5 +1,5 @@
 # What's Changed
 
 ### New Features
-- **agent** [550c06fa](https://github.com/sysdiglabs/charts/commit/550c06fad7140b7e98d6063ba61337be4341498a): [SMAGENT-8138] add full securityContext to agent charts ([#2017](https://github.com/sysdiglabs/charts/issues/2017))
-#### Full diff: https://github.com/sysdiglabs/charts/compare/sysdig-deploy-1.72.2...sysdig-deploy-1.72.3
+- **agent** [a65d52c3](https://github.com/sysdiglabs/charts/commit/a65d52c363277573f7c6b70dab172e065c38f59f): REVERT [SMAGENT-8138] add full securityContext to agent charts ([#2084](https://github.com/sysdiglabs/charts/issues/2084))
+#### Full diff: https://github.com/sysdiglabs/charts/compare/sysdig-deploy-1.72.3...sysdig-deploy-1.72.4