diff --git a/charts/agent/Chart.yaml b/charts/agent/Chart.yaml index 219c2b039..01eb36d83 100644 --- a/charts/agent/Chart.yaml +++ b/charts/agent/Chart.yaml @@ -30,4 +30,4 @@ sources: - https://app.sysdigcloud.com/#/settings/user - https://github.com/draios/sysdig type: application -version: 1.34.5 +version: 1.34.6 diff --git a/charts/agent/templates/_helpers.tpl b/charts/agent/templates/_helpers.tpl index 3746b159d..bffbd3e09 100644 --- a/charts/agent/templates/_helpers.tpl +++ b/charts/agent/templates/_helpers.tpl @@ -690,8 +690,12 @@ annotations: privileged: true runAsNonRoot: false runAsUser: 0 +runAsGroup: 0 readOnlyRootFilesystem: false allowPrivilegeEscalation: true +capabilities: + drop: + - ALL {{- else }} allowPrivilegeEscalation: false seccompProfile: diff --git a/charts/agent/templates/daemonset-windows.yaml b/charts/agent/templates/daemonset-windows.yaml index 2022217d7..357864cd8 100644 --- a/charts/agent/templates/daemonset-windows.yaml +++ b/charts/agent/templates/daemonset-windows.yaml @@ -30,6 +30,16 @@ spec: {{ toYaml .Values.global.image.pullSecrets | nindent 8 }} {{- end }} securityContext: + privileged: true + {{- if ( semverCompare ">= 1.31.0" (.Capabilities.KubeVersion.GitVersion )) }} + runAsNonRoot: false + runAsGroup: 0 + {{- end }} + readOnlyRootFilesystem: false + allowPrivilegeEscalation: true + capabilities: + add: + - ALL windowsOptions: hostProcess: true runAsUserName: "NT AUTHORITY\\SYSTEM" diff --git a/charts/agent/templates/daemonset.yaml b/charts/agent/templates/daemonset.yaml index 98a65e4b8..a1259ae77 100644 --- a/charts/agent/templates/daemonset.yaml +++ b/charts/agent/templates/daemonset.yaml @@ -78,9 +78,13 @@ spec: securityContext: privileged: true runAsNonRoot: false + runAsGroup: 0 runAsUser: 0 readOnlyRootFilesystem: false allowPrivilegeEscalation: true + capabilities: + drop: + - ALL resources: {{- if (include "agent.gke.autopilot" .) }} {{- $resources := merge .Values.slim.resources (dict "requests" (dict "ephemeral-storage" .Values.gke.ephemeralStorage))}} diff --git a/charts/agent/templates/deployment.yaml b/charts/agent/templates/deployment.yaml index 1d7aee45c..dbb0212e0 100644 --- a/charts/agent/templates/deployment.yaml +++ b/charts/agent/templates/deployment.yaml @@ -69,8 +69,12 @@ spec: privileged: true runAsNonRoot: false runAsUser: 0 + runAsGroup: 0 readOnlyRootFilesystem: false allowPrivilegeEscalation: true + capabilities: + add: + - ALL env: - name: RUN_MODE value: nodriver diff --git a/charts/agent/tests/readiness_probe_windows_test.yaml b/charts/agent/tests/readiness_probe_windows_test.yaml index 0c8af5675..d4d639f24 100644 --- a/charts/agent/tests/readiness_probe_windows_test.yaml +++ b/charts/agent/tests/readiness_probe_windows_test.yaml @@ -19,6 +19,9 @@ kubernetesProvider: tests: - it: "Windows Agent Probes (agent < 1.3.0)" + capabilities: + majorVersion: 1 + minorVersion: 31 set: windows: enabled: true diff --git a/charts/agent/tests/security_context_test.yaml b/charts/agent/tests/security_context_test.yaml index 419c326c4..00c31778a 100644 --- a/charts/agent/tests/security_context_test.yaml +++ b/charts/agent/tests/security_context_test.yaml @@ -29,6 +29,10 @@ tests: readOnlyRootFilesystem: false runAsNonRoot: false runAsUser: 0 + runAsGroup: 0 + capabilities: + drop: + - ALL - it: Ensure the securityContext for a non-privileged agent contains the keys defined set: @@ -125,3 +129,35 @@ tests: - SYS_TIME - SYS_TTY_CONFIG - WAKE_ALARM + + - it: Ensure the securityContext contains the mandatory keys + asserts: + - isSubset: + path: spec.template.spec['initContainers','containers'][:].securityContext.capabilities + content: + drop: + - ALL + - exists: + path: spec.template.spec.initContainers[:].securityContext.runAsNonRoot + - exists: + path: spec.template.spec.containers[:].securityContext.runAsNonRoot + - exists: + path: spec.template.spec.initContainers[:].securityContext.runAsUser + - exists: + path: spec.template.spec.containers[:].securityContext.runAsUser + - exists: + path: spec.template.spec.initContainers[:].securityContext.runAsGroup + - exists: + path: spec.template.spec.containers[:].securityContext.runAsGroup + - exists: + path: spec.template.spec.initContainers[:].securityContext.privileged + - exists: + path: spec.template.spec.containers[:].securityContext.privileged + - exists: + path: spec.template.spec.initContainers[:].securityContext.allowPrivilegeEscalation + - exists: + path: spec.template.spec.containers[:].securityContext.allowPrivilegeEscalation + - exists: + path: spec.template.spec.initContainers[:].securityContext.readOnlyRootFilesystem + - exists: + path: spec.template.spec.containers[:].securityContext.readOnlyRootFilesystem diff --git a/charts/sysdig-deploy/Chart.yaml b/charts/sysdig-deploy/Chart.yaml index 5465f27c9..ffb94ceb6 100644 --- a/charts/sysdig-deploy/Chart.yaml +++ b/charts/sysdig-deploy/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: sysdig-deploy description: A chart with various Sysdig components for Kubernetes type: application -version: 1.73.0 +version: 1.73.1 maintainers: - name: AlbertoBarba email: alberto.barba@sysdig.com @@ -26,7 +26,7 @@ dependencies: - name: agent # repository: https://charts.sysdig.com repository: file://../agent - version: ~1.34.5 + version: ~1.34.6 alias: agent condition: agent.enabled - name: common