From a65d52c363277573f7c6b70dab172e065c38f59f Mon Sep 17 00:00:00 2001 From: Gerlando Falauto Date: Wed, 18 Dec 2024 18:49:17 +0100 Subject: [PATCH 1/3] feat(agent): REVERT [SMAGENT-8138] add full securityContext to agent charts (#2084) This was breaking installs on ROKS and potentially others. Reverting for now. --- charts/agent/Chart.yaml | 2 +- charts/agent/templates/_helpers.tpl | 6 --- charts/agent/templates/daemonset-windows.yaml | 10 ----- charts/agent/templates/daemonset.yaml | 6 --- charts/agent/templates/deployment.yaml | 4 -- .../tests/readiness_probe_windows_test.yaml | 3 -- charts/agent/tests/security_context_test.yaml | 38 ------------------- charts/sysdig-deploy/Chart.yaml | 4 +- 8 files changed, 3 insertions(+), 70 deletions(-) diff --git a/charts/agent/Chart.yaml b/charts/agent/Chart.yaml index 6950a5d07..bb680ed9d 100644 --- a/charts/agent/Chart.yaml +++ b/charts/agent/Chart.yaml @@ -30,4 +30,4 @@ sources: - https://app.sysdigcloud.com/#/settings/user - https://github.com/draios/sysdig type: application -version: 1.34.1 +version: 1.34.2 diff --git a/charts/agent/templates/_helpers.tpl b/charts/agent/templates/_helpers.tpl index 80d6370eb..3746b159d 100644 --- a/charts/agent/templates/_helpers.tpl +++ b/charts/agent/templates/_helpers.tpl @@ -690,14 +690,8 @@ annotations: privileged: true runAsNonRoot: false runAsUser: 0 -runAsGroup: 0 readOnlyRootFilesystem: false allowPrivilegeEscalation: true -capabilities: - drop: - - ALL - add: - - ALL {{- else }} allowPrivilegeEscalation: false seccompProfile: diff --git a/charts/agent/templates/daemonset-windows.yaml b/charts/agent/templates/daemonset-windows.yaml index 357864cd8..2022217d7 100644 --- a/charts/agent/templates/daemonset-windows.yaml +++ b/charts/agent/templates/daemonset-windows.yaml @@ -30,16 +30,6 @@ spec: {{ toYaml .Values.global.image.pullSecrets | nindent 8 }} {{- end }} securityContext: - privileged: true - {{- if ( semverCompare ">= 1.31.0" (.Capabilities.KubeVersion.GitVersion )) }} - runAsNonRoot: false - runAsGroup: 0 - {{- end }} - readOnlyRootFilesystem: false - allowPrivilegeEscalation: true - capabilities: - add: - - ALL windowsOptions: hostProcess: true runAsUserName: "NT AUTHORITY\\SYSTEM" diff --git a/charts/agent/templates/daemonset.yaml b/charts/agent/templates/daemonset.yaml index 16c8836fc..98a65e4b8 100644 --- a/charts/agent/templates/daemonset.yaml +++ b/charts/agent/templates/daemonset.yaml @@ -78,15 +78,9 @@ spec: securityContext: privileged: true runAsNonRoot: false - runAsGroup: 0 runAsUser: 0 readOnlyRootFilesystem: false allowPrivilegeEscalation: true - capabilities: - drop: - - ALL - add: - - ALL resources: {{- if (include "agent.gke.autopilot" .) }} {{- $resources := merge .Values.slim.resources (dict "requests" (dict "ephemeral-storage" .Values.gke.ephemeralStorage))}} diff --git a/charts/agent/templates/deployment.yaml b/charts/agent/templates/deployment.yaml index dbb0212e0..1d7aee45c 100644 --- a/charts/agent/templates/deployment.yaml +++ b/charts/agent/templates/deployment.yaml @@ -69,12 +69,8 @@ spec: privileged: true runAsNonRoot: false runAsUser: 0 - runAsGroup: 0 readOnlyRootFilesystem: false allowPrivilegeEscalation: true - capabilities: - add: - - ALL env: - name: RUN_MODE value: nodriver diff --git a/charts/agent/tests/readiness_probe_windows_test.yaml b/charts/agent/tests/readiness_probe_windows_test.yaml index d4d639f24..0c8af5675 100644 --- a/charts/agent/tests/readiness_probe_windows_test.yaml +++ b/charts/agent/tests/readiness_probe_windows_test.yaml @@ -19,9 +19,6 @@ kubernetesProvider: tests: - it: "Windows Agent Probes (agent < 1.3.0)" - capabilities: - majorVersion: 1 - minorVersion: 31 set: windows: enabled: true diff --git a/charts/agent/tests/security_context_test.yaml b/charts/agent/tests/security_context_test.yaml index f5af2f59c..419c326c4 100644 --- a/charts/agent/tests/security_context_test.yaml +++ b/charts/agent/tests/security_context_test.yaml @@ -29,12 +29,6 @@ tests: readOnlyRootFilesystem: false runAsNonRoot: false runAsUser: 0 - runAsGroup: 0 - capabilities: - drop: - - ALL - add: - - ALL - it: Ensure the securityContext for a non-privileged agent contains the keys defined set: @@ -131,35 +125,3 @@ tests: - SYS_TIME - SYS_TTY_CONFIG - WAKE_ALARM - - - it: Ensure the securityContext contains the mandatory keys - asserts: - - isSubset: - path: spec.template.spec['initContainers','containers'][:].securityContext.capabilities - content: - drop: - - ALL - - exists: - path: spec.template.spec.initContainers[:].securityContext.runAsNonRoot - - exists: - path: spec.template.spec.containers[:].securityContext.runAsNonRoot - - exists: - path: spec.template.spec.initContainers[:].securityContext.runAsUser - - exists: - path: spec.template.spec.containers[:].securityContext.runAsUser - - exists: - path: spec.template.spec.initContainers[:].securityContext.runAsGroup - - exists: - path: spec.template.spec.containers[:].securityContext.runAsGroup - - exists: - path: spec.template.spec.initContainers[:].securityContext.privileged - - exists: - path: spec.template.spec.containers[:].securityContext.privileged - - exists: - path: spec.template.spec.initContainers[:].securityContext.allowPrivilegeEscalation - - exists: - path: spec.template.spec.containers[:].securityContext.allowPrivilegeEscalation - - exists: - path: spec.template.spec.initContainers[:].securityContext.readOnlyRootFilesystem - - exists: - path: spec.template.spec.containers[:].securityContext.readOnlyRootFilesystem diff --git a/charts/sysdig-deploy/Chart.yaml b/charts/sysdig-deploy/Chart.yaml index b1ed23dda..65275de61 100644 --- a/charts/sysdig-deploy/Chart.yaml +++ b/charts/sysdig-deploy/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: sysdig-deploy description: A chart with various Sysdig components for Kubernetes type: application -version: 1.72.3 +version: 1.72.4 maintainers: - name: AlbertoBarba email: alberto.barba@sysdig.com @@ -26,7 +26,7 @@ dependencies: - name: agent # repository: https://charts.sysdig.com repository: file://../agent - version: ~1.34.1 + version: ~1.34.2 alias: agent condition: agent.enabled - name: common From b152227a0cc160e9e4b85c5ed1a3cc239ddc3c83 Mon Sep 17 00:00:00 2001 From: draios-jenkins Date: Wed, 18 Dec 2024 17:50:37 +0000 Subject: [PATCH 2/3] github_actions_ci: Update CHANGELOG and RELEASE-NOTES for agent-1.34.2 --- charts/agent/CHANGELOG.md | 3 +++ charts/agent/RELEASE-NOTES.md | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/charts/agent/CHANGELOG.md b/charts/agent/CHANGELOG.md index 387e5c0fc..dd1e57bdf 100644 --- a/charts/agent/CHANGELOG.md +++ b/charts/agent/CHANGELOG.md @@ -10,6 +10,9 @@ Manual edits are supported only below '## Change Log' and should be used exclusively to fix incorrect entries and not to add new ones. ## Change Log +# v1.34.2 +### New Features +* **agent** [a65d52c3](https://github.com/sysdiglabs/charts/commit/a65d52c363277573f7c6b70dab172e065c38f59f): REVERT [SMAGENT-8138] add full securityContext to agent charts ([#2084](https://github.com/sysdiglabs/charts/issues/2084)) # v1.34.1 ### New Features * **agent** [550c06fa](https://github.com/sysdiglabs/charts/commit/550c06fad7140b7e98d6063ba61337be4341498a): [SMAGENT-8138] add full securityContext to agent charts ([#2017](https://github.com/sysdiglabs/charts/issues/2017)) diff --git a/charts/agent/RELEASE-NOTES.md b/charts/agent/RELEASE-NOTES.md index b4ea42d36..a4fd83b88 100644 --- a/charts/agent/RELEASE-NOTES.md +++ b/charts/agent/RELEASE-NOTES.md @@ -1,5 +1,5 @@ # What's Changed ### New Features -- **agent** [550c06fa](https://github.com/sysdiglabs/charts/commit/550c06fad7140b7e98d6063ba61337be4341498a): [SMAGENT-8138] add full securityContext to agent charts ([#2017](https://github.com/sysdiglabs/charts/issues/2017)) -#### Full diff: https://github.com/sysdiglabs/charts/compare/agent-1.34.0...agent-1.34.1 +- **agent** [a65d52c3](https://github.com/sysdiglabs/charts/commit/a65d52c363277573f7c6b70dab172e065c38f59f): REVERT [SMAGENT-8138] add full securityContext to agent charts ([#2084](https://github.com/sysdiglabs/charts/issues/2084)) +#### Full diff: https://github.com/sysdiglabs/charts/compare/agent-1.34.1...agent-1.34.2 From f1165b89517b9fc335977037c733eaeb9f56441a Mon Sep 17 00:00:00 2001 From: draios-jenkins Date: Wed, 18 Dec 2024 17:50:37 +0000 Subject: [PATCH 3/3] github_actions_ci: Update CHANGELOG and RELEASE-NOTES for sysdig-deploy-1.72.4 --- charts/sysdig-deploy/CHANGELOG.md | 3 +++ charts/sysdig-deploy/RELEASE-NOTES.md | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/charts/sysdig-deploy/CHANGELOG.md b/charts/sysdig-deploy/CHANGELOG.md index bc927b945..57aa0b549 100644 --- a/charts/sysdig-deploy/CHANGELOG.md +++ b/charts/sysdig-deploy/CHANGELOG.md @@ -10,6 +10,9 @@ Manual edits are supported only below '## Change Log' and should be used exclusively to fix incorrect entries and not to add new ones. ## Change Log +# v1.72.4 +### New Features +* **agent** [a65d52c3](https://github.com/sysdiglabs/charts/commit/a65d52c363277573f7c6b70dab172e065c38f59f): REVERT [SMAGENT-8138] add full securityContext to agent charts ([#2084](https://github.com/sysdiglabs/charts/issues/2084)) # v1.72.3 ### New Features * **agent** [550c06fa](https://github.com/sysdiglabs/charts/commit/550c06fad7140b7e98d6063ba61337be4341498a): [SMAGENT-8138] add full securityContext to agent charts ([#2017](https://github.com/sysdiglabs/charts/issues/2017)) diff --git a/charts/sysdig-deploy/RELEASE-NOTES.md b/charts/sysdig-deploy/RELEASE-NOTES.md index f19a27e0e..8b4307bca 100644 --- a/charts/sysdig-deploy/RELEASE-NOTES.md +++ b/charts/sysdig-deploy/RELEASE-NOTES.md @@ -1,5 +1,5 @@ # What's Changed ### New Features -- **agent** [550c06fa](https://github.com/sysdiglabs/charts/commit/550c06fad7140b7e98d6063ba61337be4341498a): [SMAGENT-8138] add full securityContext to agent charts ([#2017](https://github.com/sysdiglabs/charts/issues/2017)) -#### Full diff: https://github.com/sysdiglabs/charts/compare/sysdig-deploy-1.72.2...sysdig-deploy-1.72.3 +- **agent** [a65d52c3](https://github.com/sysdiglabs/charts/commit/a65d52c363277573f7c6b70dab172e065c38f59f): REVERT [SMAGENT-8138] add full securityContext to agent charts ([#2084](https://github.com/sysdiglabs/charts/issues/2084)) +#### Full diff: https://github.com/sysdiglabs/charts/compare/sysdig-deploy-1.72.3...sysdig-deploy-1.72.4