Add missing permission needed to scan sysctl_net_core_bpf_jit_harden (#958)

Added CAP_SYS_ADMIN capability alongside CAP_SYS_CHROOT in the security context of the compliance scan pod.

Author: Vincent056

pkg/controller/compliancescan/scan.go

@@ -207,11 +207,11 @@ func newScanPodForNode(scanInstance *compv1alpha1.ComplianceScan, node *corev1.N
 					Command: []string{OpenScapScriptPath},
 					SecurityContext: &corev1.SecurityContext{
 						Privileged:               &falseP,
-						AllowPrivilegeEscalation: &falseP,
+						AllowPrivilegeEscalation: &trueP,
 						ReadOnlyRootFilesystem:   &trueP,
 						Capabilities: &corev1.Capabilities{
 							Drop: []corev1.Capability{"ALL"},
-							Add:  []corev1.Capability{"CAP_SYS_CHROOT"},
+							Add:  []corev1.Capability{"CAP_SYS_CHROOT", "CAP_SYS_ADMIN"},
 						},
 						// TODO(jaosorior): Figure out if the default
 						// seccomp profile is sufficient here.

tests/e2e/parallel/main_test.go

@@ -614,10 +614,23 @@ func TestSingleScanSucceeds(t *testing.T) {
 					t.Fatalf("Expected scanner container to drop ALL capabilities, got: %v", droppedCaps)
 				}
 
-				// Verify only CAP_SYS_CHROOT is added
+				// Verify CAP_SYS_CHROOT and CAP_SYS_ADMIN are added
 				addedCaps := container.SecurityContext.Capabilities.Add
-				if len(addedCaps) != 1 || string(addedCaps[0]) != "CAP_SYS_CHROOT" {
-					t.Fatalf("Expected scanner container to only have CAP_SYS_CHROOT capability, got: %v", addedCaps)
+				if len(addedCaps) != 2 {
+					t.Fatalf("Expected scanner container to have CAP_SYS_CHROOT and CAP_SYS_ADMIN capabilities, got: %v", addedCaps)
+				}
+				hasChroot := false
+				hasSysAdmin := false
+				for _, cap := range addedCaps {
+					if string(cap) == "CAP_SYS_CHROOT" {
+						hasChroot = true
+					}
+					if string(cap) == "CAP_SYS_ADMIN" {
+						hasSysAdmin = true
+					}
+				}
+				if !hasChroot || !hasSysAdmin {
+					t.Fatalf("Expected scanner container to have both CAP_SYS_CHROOT and CAP_SYS_ADMIN capabilities, got: %v", addedCaps)
 				}
 				break
 			}