fix: address review comments

therealbobo · therealbobo · commit 857f4b6ab05a · 2025-10-30T16:07:08.000Z
Signed-off-by: Roberto Scolaro &lt;roberto.scolaro21@gmail.com&gt;
diff --git a/charts/shield/templates/common/_cluster_type.tpl b/charts/shield/templates/common/_cluster_type.tpl
@@ -6,9 +6,3 @@ Proxy Secret Name
     {{- true -}}
   {{- end -}}
 {{- end -}}
-
-{{- define "common.cluster_type.is_bottlerocket" -}}
-  {{- if eq "bottlerocket" .Values.cluster_config.cluster_type -}}
-    {{- true -}}
-  {{- end -}}
-{{- end -}}
diff --git a/charts/shield/templates/host/_helpers.tpl b/charts/shield/templates/host/_helpers.tpl
@@ -201,7 +201,7 @@ capabilities:
 allowPrivilegeEscalation: false
 seccompProfile:
   type: Unconfined
-{{- if and (eq (include "host.response_actions_enabled" .) "true") (include "common.cluster_type.is_bottlerocket" .) }}
+{{- if eq (include "host.response_actions_needs_higher_privileges" .) "true" }}
 seLinuxOptions:
   type: control_t
 {{- end }}
@@ -245,6 +245,31 @@ true
 {{- end }}
 {{- end }}
 
+{{/*
+  This function checks if response actions that need higher privileges are enabled.
+  These include: file_acquire, file_quarantine, and get_logs.
+  Returns true if response_actions is enabled AND at least one of these actions has trigger != "none".
+*/}}
+{{- define "host.response_actions_needs_higher_privileges" }}
+{{- if eq (include "host.response_actions_enabled" .) "true" }}
+{{- $feature_respond := dig "respond" (dict) .Values.features }}
+{{- $additional_features := dig "features" (dict) .Values.host.additional_settings }}
+{{- $additional_respond := dig "respond" (dict) $additional_features }}
+{{- $response_actions := dict }}
+{{- if hasKey $additional_respond "response_actions" }}
+  {{- $response_actions = get $additional_respond "response_actions" }}
+{{- else if hasKey $feature_respond "response_actions" }}
+  {{- $response_actions = get $feature_respond "response_actions" }}
+{{- end }}
+{{- $file_acquire := dig "file_acquire" (dict) $response_actions }}
+{{- $file_quarantine := dig "file_quarantine" (dict) $response_actions }}
+{{- $get_logs := dig "get_logs" (dict) $response_actions }}
+{{- if or (and $file_acquire (ne (dig "trigger" "none" $file_acquire) "none")) (and $file_quarantine (ne (dig "trigger" "none" $file_quarantine) "none")) (and $get_logs (ne (dig "trigger" "none" $get_logs) "none")) }}
+{{- true -}}
+{{- end }}
+{{- end }}
+{{- end }}
+
 {{- define "host.rapid_response_password" }}
 {{- $feature_respond := get .Values.features (include "host.respond_key" .Values.features) }}
 {{- if (dig "rapid_response" "password" nil $feature_respond) }}
diff --git a/charts/shield/tests/host/daemonset_test.yaml b/charts/shield/tests/host/daemonset_test.yaml
@@ -144,16 +144,16 @@ tests:
             readOnlyRootFilesystem: false
             allowPrivilegeEscalation: true
 
-  - it: Test host.privileged=false with bottlerocket cluster_type adds seLinuxOptions
+  - it: Test host.privileged=false with response_actions needing higher privileges adds seLinuxOptions
     set:
       host:
         privileged: false
-      cluster_config:
-        cluster_type: bottlerocket
       features:
         respond:
           response_actions:
             enabled: true
+            file_acquire:
+              trigger: all
     asserts:
       - isSubset:
           path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].securityContext
@@ -176,12 +176,20 @@ tests:
                 - SYS_PTRACE
                 - SYS_RESOURCE
 
-  - it: Test host.privileged=false with generic cluster_type does not add seLinuxOptions
+  - it: Test host.privileged=false without higher privilege response_actions does not add seLinuxOptions
     set:
       host:
         privileged: false
-      cluster_config:
-        cluster_type: generic
+      features:
+        respond:
+          response_actions:
+            enabled: true
+            file_acquire:
+              trigger: none
+            file_quarantine:
+              trigger: none
+            get_logs:
+              trigger: none
     asserts:
       - isSubset:
           path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].securityContext
diff --git a/charts/shield/tests/host/security_context_test.yaml b/charts/shield/tests/host/security_context_test.yaml
@@ -56,17 +56,17 @@ tests:
             runAsNonRoot: false
             runAsUser: 0
 
-  - it: Ensure the securityContext for bottlerocket with response_actions includes seLinuxOptions
+  - it: Ensure the securityContext with response_actions file_acquire includes seLinuxOptions
     set:
       host:
         privileged: false
         driver: universal_ebpf
-      cluster_config:
-        cluster_type: bottlerocket
       features:
         respond:
           response_actions:
             enabled: true
+            file_acquire:
+              trigger: all
     asserts:
       - isSubset:
           path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].securityContext
@@ -77,13 +77,53 @@ tests:
             seLinuxOptions:
               type: control_t
 
-  - it: Ensure the securityContext for bottlerocket without response_actions does not include seLinuxOptions
+  - it: Ensure the securityContext with response_actions file_quarantine includes seLinuxOptions
+    set:
+      host:
+        privileged: false
+        driver: universal_ebpf
+      features:
+        respond:
+          response_actions:
+            enabled: true
+            file_quarantine:
+              trigger: all
+    asserts:
+      - isSubset:
+          path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].securityContext
+          content:
+            allowPrivilegeEscalation: false
+            seccompProfile:
+              type: Unconfined
+            seLinuxOptions:
+              type: control_t
+
+  - it: Ensure the securityContext with response_actions get_logs includes seLinuxOptions
+    set:
+      host:
+        privileged: false
+        driver: universal_ebpf
+      features:
+        respond:
+          response_actions:
+            enabled: true
+            get_logs:
+              trigger: all
+    asserts:
+      - isSubset:
+          path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].securityContext
+          content:
+            allowPrivilegeEscalation: false
+            seccompProfile:
+              type: Unconfined
+            seLinuxOptions:
+              type: control_t
+
+  - it: Ensure the securityContext without response_actions does not include seLinuxOptions
     set:
       host:
         privileged: false
         driver: universal_ebpf
-      cluster_config:
-        cluster_type: bottlerocket
       features:
         respond:
           response_actions:
@@ -101,7 +141,7 @@ tests:
             seLinuxOptions:
               type: control_t
 
-  - it: Ensure the securityContext for non-bottlerocket with response_actions does not include seLinuxOptions
+  - it: Ensure the securityContext with response_actions but no higher privilege actions does not include seLinuxOptions
     set:
       host:
         privileged: false
@@ -110,6 +150,14 @@ tests:
         respond:
           response_actions:
             enabled: true
+            file_acquire:
+              trigger: none
+            file_quarantine:
+              trigger: none
+            get_logs:
+              trigger: none
+            kill_process:
+              trigger: all
     asserts:
       - isSubset:
           path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].securityContext
diff --git a/charts/shield/values.schema.json b/charts/shield/values.schema.json
@@ -74,8 +74,7 @@
           "description": "Type of Kubernetes cluster",
           "enum": [
             "generic",
-            "gke-autopilot",
-            "bottlerocket"
+            "gke-autopilot"
           ],
           "examples": [
             "generic"
