Skip to content

Commit 8b4eac5

Browse files
therealbobotherealbobo
committed
fix: address review comments
Signed-off-by: Roberto Scolaro <[email protected]>
1 parent 8bed210 commit 8b4eac5

File tree

7 files changed

+135
-24
lines changed

7 files changed

+135
-24
lines changed

charts/shield/README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -66,7 +66,7 @@ The following table lists the configurable parameters of the `shield` chart and
6666
|-----------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
6767
| cluster_config.name | The name of the cluster | <code></code> |
6868
| cluster_config.cluster_domain | The domain of the cluster | <code>cluster.local</code> |
69-
| cluster_config.cluster_type | The type of the cluster (Accepted Values: gke-autopilot, bottlerocket, generic) | <code>generic</code> |
69+
| cluster_config.cluster_type | The type of the cluster (Accepted Values: gke-autopilot, generic) | <code>generic</code> |
7070
| cluster_config.root_namespace | The root namespace of the cluster | <code>kube-system</code> |
7171
| cluster_config.tags | Tags you want to apply to the metadata sent to the Sysdig Backend. | <code>{}</code> |
7272
| sysdig_endpoint.region | The region where the Sysdig Secure instance is located | <code>custom</code> |

charts/shield/templates/common/_cluster_type.tpl

Lines changed: 0 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -6,9 +6,3 @@ Proxy Secret Name
66
{{- true -}}
77
{{- end -}}
88
{{- end -}}
9-
10-
{{- define "common.cluster_type.is_bottlerocket" -}}
11-
{{- if eq "bottlerocket" .Values.cluster_config.cluster_type -}}
12-
{{- true -}}
13-
{{- end -}}
14-
{{- end -}}

charts/shield/templates/host/_helpers.tpl

Lines changed: 26 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -201,7 +201,7 @@ capabilities:
201201
allowPrivilegeEscalation: false
202202
seccompProfile:
203203
type: Unconfined
204-
{{- if and (eq (include "host.response_actions_enabled" .) "true") (include "common.cluster_type.is_bottlerocket" .) }}
204+
{{- if eq (include "host.response_actions_needs_higher_privileges" .) "true" }}
205205
seLinuxOptions:
206206
type: control_t
207207
{{- end }}
@@ -245,6 +245,31 @@ true
245245
{{- end }}
246246
{{- end }}
247247

248+
{{/*
249+
This function checks if response actions that need higher privileges are enabled.
250+
These include: file_acquire, file_quarantine, and get_logs.
251+
Returns true if response_actions is enabled AND at least one of these actions has trigger != "none".
252+
*/}}
253+
{{- define "host.response_actions_needs_higher_privileges" }}
254+
{{- if eq (include "host.response_actions_enabled" .) "true" }}
255+
{{- $feature_respond := dig "respond" (dict) .Values.features }}
256+
{{- $additional_features := dig "features" (dict) .Values.host.additional_settings }}
257+
{{- $additional_respond := dig "respond" (dict) $additional_features }}
258+
{{- $response_actions := dict }}
259+
{{- if hasKey $additional_respond "response_actions" }}
260+
{{- $response_actions = get $additional_respond "response_actions" }}
261+
{{- else if hasKey $feature_respond "response_actions" }}
262+
{{- $response_actions = get $feature_respond "response_actions" }}
263+
{{- end }}
264+
{{- $file_acquire_trigger := dig "file_acquire" "trigger" "all" $response_actions }}
265+
{{- $file_quarantine_trigger := dig "file_quarantine" "trigger" "all" $response_actions }}
266+
{{- $get_logs_trigger := dig "get_logs" "trigger" "all" $response_actions }}
267+
{{- if or (ne $file_acquire_trigger "none") (ne $file_quarantine_trigger "none") (ne $get_logs_trigger "none") }}
268+
{{- true -}}
269+
{{- end }}
270+
{{- end }}
271+
{{- end }}
272+
248273
{{- define "host.rapid_response_password" }}
249274
{{- $feature_respond := get .Values.features (include "host.respond_key" .Values.features) }}
250275
{{- if (dig "rapid_response" "password" nil $feature_respond) }}

charts/shield/tests/host/daemonset_test.yaml

Lines changed: 32 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -144,16 +144,16 @@ tests:
144144
readOnlyRootFilesystem: false
145145
allowPrivilegeEscalation: true
146146

147-
- it: Test host.privileged=false with bottlerocket cluster_type adds seLinuxOptions
147+
- it: Test host.privileged=false with response_actions needing higher privileges adds seLinuxOptions
148148
set:
149149
host:
150150
privileged: false
151-
cluster_config:
152-
cluster_type: bottlerocket
153151
features:
154152
respond:
155153
response_actions:
156154
enabled: true
155+
file_acquire:
156+
trigger: all
157157
asserts:
158158
- isSubset:
159159
path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].securityContext
@@ -176,12 +176,20 @@ tests:
176176
- SYS_PTRACE
177177
- SYS_RESOURCE
178178

179-
- it: Test host.privileged=false with generic cluster_type does not add seLinuxOptions
179+
- it: Test host.privileged=false without higher privilege response_actions does not add seLinuxOptions
180180
set:
181181
host:
182182
privileged: false
183-
cluster_config:
184-
cluster_type: generic
183+
features:
184+
respond:
185+
response_actions:
186+
enabled: true
187+
file_acquire:
188+
trigger: none
189+
file_quarantine:
190+
trigger: none
191+
get_logs:
192+
trigger: none
185193
asserts:
186194
- isSubset:
187195
path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].securityContext
@@ -195,6 +203,24 @@ tests:
195203
seLinuxOptions:
196204
type: control_t
197205

206+
- it: Test host.privileged=false with response_actions defaults to enabled when not specified
207+
set:
208+
host:
209+
privileged: false
210+
features:
211+
respond:
212+
response_actions:
213+
enabled: true
214+
asserts:
215+
- isSubset:
216+
path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].securityContext
217+
content:
218+
allowPrivilegeEscalation: false
219+
seccompProfile:
220+
type: Unconfined
221+
seLinuxOptions:
222+
type: control_t
223+
198224
- it: Test user specified priority class
199225
set:
200226
host:

charts/shield/tests/host/security_context_test.yaml

Lines changed: 74 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -56,17 +56,17 @@ tests:
5656
runAsNonRoot: false
5757
runAsUser: 0
5858

59-
- it: Ensure the securityContext for bottlerocket with response_actions includes seLinuxOptions
59+
- it: Ensure the securityContext with response_actions file_acquire includes seLinuxOptions
6060
set:
6161
host:
6262
privileged: false
6363
driver: universal_ebpf
64-
cluster_config:
65-
cluster_type: bottlerocket
6664
features:
6765
respond:
6866
response_actions:
6967
enabled: true
68+
file_acquire:
69+
trigger: all
7070
asserts:
7171
- isSubset:
7272
path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].securityContext
@@ -77,13 +77,53 @@ tests:
7777
seLinuxOptions:
7878
type: control_t
7979

80-
- it: Ensure the securityContext for bottlerocket without response_actions does not include seLinuxOptions
80+
- it: Ensure the securityContext with response_actions file_quarantine includes seLinuxOptions
81+
set:
82+
host:
83+
privileged: false
84+
driver: universal_ebpf
85+
features:
86+
respond:
87+
response_actions:
88+
enabled: true
89+
file_quarantine:
90+
trigger: all
91+
asserts:
92+
- isSubset:
93+
path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].securityContext
94+
content:
95+
allowPrivilegeEscalation: false
96+
seccompProfile:
97+
type: Unconfined
98+
seLinuxOptions:
99+
type: control_t
100+
101+
- it: Ensure the securityContext with response_actions get_logs includes seLinuxOptions
102+
set:
103+
host:
104+
privileged: false
105+
driver: universal_ebpf
106+
features:
107+
respond:
108+
response_actions:
109+
enabled: true
110+
get_logs:
111+
trigger: all
112+
asserts:
113+
- isSubset:
114+
path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].securityContext
115+
content:
116+
allowPrivilegeEscalation: false
117+
seccompProfile:
118+
type: Unconfined
119+
seLinuxOptions:
120+
type: control_t
121+
122+
- it: Ensure the securityContext without response_actions does not include seLinuxOptions
81123
set:
82124
host:
83125
privileged: false
84126
driver: universal_ebpf
85-
cluster_config:
86-
cluster_type: bottlerocket
87127
features:
88128
respond:
89129
response_actions:
@@ -101,7 +141,7 @@ tests:
101141
seLinuxOptions:
102142
type: control_t
103143

104-
- it: Ensure the securityContext for non-bottlerocket with response_actions does not include seLinuxOptions
144+
- it: Ensure the securityContext with response_actions but no higher privilege actions does not include seLinuxOptions
105145
set:
106146
host:
107147
privileged: false
@@ -110,6 +150,14 @@ tests:
110150
respond:
111151
response_actions:
112152
enabled: true
153+
file_acquire:
154+
trigger: none
155+
file_quarantine:
156+
trigger: none
157+
get_logs:
158+
trigger: none
159+
kill_process:
160+
trigger: all
113161
asserts:
114162
- isSubset:
115163
path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].securityContext
@@ -123,6 +171,25 @@ tests:
123171
seLinuxOptions:
124172
type: control_t
125173

174+
- it: Ensure the securityContext with response_actions defaults to enabled when actions not specified
175+
set:
176+
host:
177+
privileged: false
178+
driver: universal_ebpf
179+
features:
180+
respond:
181+
response_actions:
182+
enabled: true
183+
asserts:
184+
- isSubset:
185+
path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].securityContext
186+
content:
187+
allowPrivilegeEscalation: false
188+
seccompProfile:
189+
type: Unconfined
190+
seLinuxOptions:
191+
type: control_t
192+
126193
- it: Ensure the security_context is honored
127194
set:
128195
host:

charts/shield/values.schema.json

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -74,8 +74,7 @@
7474
"description": "Type of Kubernetes cluster",
7575
"enum": [
7676
"generic",
77-
"gke-autopilot",
78-
"bottlerocket"
77+
"gke-autopilot"
7978
],
8079
"examples": [
8180
"generic"

charts/shield/values.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@ cluster_config:
33
name:
44
# The domain of the cluster
55
cluster_domain: cluster.local
6-
# The type of the cluster (Accepted Values: gke-autopilot, bottlerocket, generic)
6+
# The type of the cluster (Accepted Values: gke-autopilot, generic)
77
cluster_type: generic
88
# The root namespace of the cluster
99
root_namespace: kube-system

0 commit comments

Comments
 (0)