Revert "feat(agent): [SMAGENT-8138] add full securityContext to agent…

… charts …" This reverts commit 550c06f.
sysdiglabs · Dec 18, 2024 · d55b53d · d55b53d
1 parent 65e0d23
commit d55b53d
Show file tree

Hide file tree

Showing 8 changed files with 3 additions and 70 deletions.
diff --git a/charts/agent/Chart.yaml b/charts/agent/Chart.yaml
@@ -30,4 +30,4 @@ sources:
 - https://app.sysdigcloud.com/#/settings/user
 - https://github.com/draios/sysdig
 type: application
-version: 1.34.1
+version: 1.34.0
diff --git a/charts/agent/templates/_helpers.tpl b/charts/agent/templates/_helpers.tpl
@@ -690,14 +690,8 @@ annotations:
 privileged: true
 runAsNonRoot: false
 runAsUser: 0
-runAsGroup: 0
 readOnlyRootFilesystem: false
 allowPrivilegeEscalation: true
-capabilities:
-  drop:
-    - ALL
-  add:
-    - ALL
 {{- else }}
 allowPrivilegeEscalation: false
 seccompProfile:

diff --git a/charts/agent/templates/daemonset-windows.yaml b/charts/agent/templates/daemonset-windows.yaml
@@ -30,16 +30,6 @@ spec:
         {{ toYaml .Values.global.image.pullSecrets | nindent 8 }}
       {{- end }}
       securityContext:
-        privileged: true
-        {{- if ( semverCompare ">= 1.31.0" (.Capabilities.KubeVersion.GitVersion )) }}
-        runAsNonRoot: false
-        runAsGroup: 0
-        {{- end }}
-        readOnlyRootFilesystem: false
-        allowPrivilegeEscalation: true
-        capabilities:
-          add:
-            - ALL
         windowsOptions:
           hostProcess: true
           runAsUserName: "NT AUTHORITY\\SYSTEM"

diff --git a/charts/agent/templates/daemonset.yaml b/charts/agent/templates/daemonset.yaml
@@ -78,15 +78,9 @@ spec:
           securityContext:
             privileged: true
             runAsNonRoot: false
-            runAsGroup: 0
             runAsUser: 0
             readOnlyRootFilesystem: false
             allowPrivilegeEscalation: true
-            capabilities:
-              drop:
-                - ALL
-              add:
-                - ALL
           resources:
             {{- if (include "agent.gke.autopilot" .) }}
               {{- $resources := merge .Values.slim.resources (dict "requests" (dict "ephemeral-storage" .Values.gke.ephemeralStorage))}}

diff --git a/charts/agent/templates/deployment.yaml b/charts/agent/templates/deployment.yaml
@@ -69,12 +69,8 @@ spec:
             privileged: true
             runAsNonRoot: false
             runAsUser: 0
-            runAsGroup: 0
             readOnlyRootFilesystem: false
             allowPrivilegeEscalation: true
-            capabilities:
-              add:
-                - ALL
           env:
           - name: RUN_MODE
             value: nodriver

diff --git a/charts/agent/tests/readiness_probe_windows_test.yaml b/charts/agent/tests/readiness_probe_windows_test.yaml
@@ -19,9 +19,6 @@ kubernetesProvider:
 tests:
 
   - it: "Windows Agent Probes (agent < 1.3.0)"
-    capabilities:
-      majorVersion: 1
-      minorVersion: 31
     set:
       windows:
         enabled: true

diff --git a/charts/agent/tests/security_context_test.yaml b/charts/agent/tests/security_context_test.yaml
@@ -29,12 +29,6 @@ tests:
             readOnlyRootFilesystem: false
             runAsNonRoot: false
             runAsUser: 0
-            runAsGroup: 0
-            capabilities:
-              drop:
-                - ALL
-              add:
-                - ALL
 
   - it: Ensure the securityContext for a non-privileged agent contains the keys defined
     set:
@@ -131,35 +125,3 @@ tests:
                 - SYS_TIME
                 - SYS_TTY_CONFIG
                 - WAKE_ALARM
-
-  - it: Ensure the securityContext contains the mandatory keys
-    asserts:
-      - isSubset:
-          path: spec.template.spec['initContainers','containers'][:].securityContext.capabilities
-          content:
-            drop:
-              - ALL
-      - exists:
-          path: spec.template.spec.initContainers[:].securityContext.runAsNonRoot
-      - exists:
-          path: spec.template.spec.containers[:].securityContext.runAsNonRoot
-      - exists:
-          path: spec.template.spec.initContainers[:].securityContext.runAsUser
-      - exists:
-          path: spec.template.spec.containers[:].securityContext.runAsUser
-      - exists:
-          path: spec.template.spec.initContainers[:].securityContext.runAsGroup
-      - exists:
-          path: spec.template.spec.containers[:].securityContext.runAsGroup
-      - exists:
-          path: spec.template.spec.initContainers[:].securityContext.privileged
-      - exists:
-          path: spec.template.spec.containers[:].securityContext.privileged
-      - exists:
-          path: spec.template.spec.initContainers[:].securityContext.allowPrivilegeEscalation
-      - exists:
-          path: spec.template.spec.containers[:].securityContext.allowPrivilegeEscalation
-      - exists:
-          path: spec.template.spec.initContainers[:].securityContext.readOnlyRootFilesystem
-      - exists:
-          path: spec.template.spec.containers[:].securityContext.readOnlyRootFilesystem
diff --git a/charts/sysdig-deploy/Chart.yaml b/charts/sysdig-deploy/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: sysdig-deploy
 description: A chart with various Sysdig components for Kubernetes
 type: application
-version: 1.72.3
+version: 1.72.2
 maintainers:
   - name: AlbertoBarba
     email: [email protected]
@@ -26,7 +26,7 @@ dependencies:
   - name: agent
     # repository: https://charts.sysdig.com
     repository: file://../agent
-    version: ~1.34.1
+    version: ~1.34.0
     alias: agent
     condition: agent.enabled
   - name: common