fix: address review comments

therealbobo · therealbobo · commit 783c6659889a · 2025-10-24T13:30:47.000Z
diff --git a/charts/shield/templates/host/_helpers.tpl b/charts/shield/templates/host/_helpers.tpl
@@ -201,7 +201,7 @@ capabilities:
 allowPrivilegeEscalation: false
 seccompProfile:
   type: Unconfined
-{{- if (include "common.cluster_type.is_bottlerocket" .) }}
+{{- if and (eq (include "host.response_actions_enabled" .) "true") (include "common.cluster_type.is_bottlerocket" .) }}
 seLinuxOptions:
   type: control_t
 {{- end }}
diff --git a/charts/shield/tests/host/daemonset_test.yaml b/charts/shield/tests/host/daemonset_test.yaml
@@ -150,6 +150,10 @@ tests:
         privileged: false
       cluster_config:
         cluster_type: bottlerocket
+      features:
+        respond:
+          response_actions:
+            enabled: true
     asserts:
       - isSubset:
           path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].securityContext
diff --git a/charts/shield/tests/host/security_context_test.yaml b/charts/shield/tests/host/security_context_test.yaml
@@ -56,13 +56,17 @@ tests:
             runAsNonRoot: false
             runAsUser: 0
 
-  - it: Ensure the securityContext for bottlerocket includes seLinuxOptions
+  - it: Ensure the securityContext for bottlerocket with response_actions includes seLinuxOptions
     set:
       host:
         privileged: false
         driver: universal_ebpf
       cluster_config:
         cluster_type: bottlerocket
+      features:
+        respond:
+          response_actions:
+            enabled: true
     asserts:
       - isSubset:
           path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].securityContext
@@ -73,6 +77,52 @@ tests:
             seLinuxOptions:
               type: control_t
 
+  - it: Ensure the securityContext for bottlerocket without response_actions does not include seLinuxOptions
+    set:
+      host:
+        privileged: false
+        driver: universal_ebpf
+      cluster_config:
+        cluster_type: bottlerocket
+      features:
+        respond:
+          response_actions:
+            enabled: false
+    asserts:
+      - isSubset:
+          path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].securityContext
+          content:
+            allowPrivilegeEscalation: false
+            seccompProfile:
+              type: Unconfined
+      - isNotSubset:
+          path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].securityContext
+          content:
+            seLinuxOptions:
+              type: control_t
+
+  - it: Ensure the securityContext for non-bottlerocket with response_actions does not include seLinuxOptions
+    set:
+      host:
+        privileged: false
+        driver: universal_ebpf
+      features:
+        respond:
+          response_actions:
+            enabled: true
+    asserts:
+      - isSubset:
+          path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].securityContext
+          content:
+            allowPrivilegeEscalation: false
+            seccompProfile:
+              type: Unconfined
+      - isNotSubset:
+          path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].securityContext
+          content:
+            seLinuxOptions:
+              type: control_t
+
   - it: Ensure the security_context is honored
     set:
       host:
