fix(shield): set seLinuxOptions to control_t for unprivileged host shield bottlerocket deployment

Signed-off-by: Roberto Scolaro <[email protected]>

Author: therealbobo

charts/shield/templates/common/_cluster_type.tpl

@@ -6,3 +6,9 @@ Proxy Secret Name
     {{- true -}}
   {{- end -}}
 {{- end -}}
+
+{{- define "common.cluster_type.is_bottlerocket" -}}
+  {{- if eq "bottlerocket" .Values.cluster_config.cluster_type -}}
+    {{- true -}}
+  {{- end -}}
+{{- end -}}

charts/shield/templates/host/_helpers.tpl

@@ -201,6 +201,10 @@ capabilities:
 allowPrivilegeEscalation: false
 seccompProfile:
   type: Unconfined
+{{- if (include "common.cluster_type.is_bottlerocket" .) }}
+seLinuxOptions:
+  type: control_t
+{{- end }}
 capabilities:
   drop:
     - ALL

charts/shield/tests/host/daemonset_test.yaml

@@ -144,6 +144,53 @@ tests:
             readOnlyRootFilesystem: false
             allowPrivilegeEscalation: true
 
+  - it: Test host.privileged=false with bottlerocket cluster_type adds seLinuxOptions
+    set:
+      host:
+        privileged: false
+      cluster_config:
+        cluster_type: bottlerocket
+    asserts:
+      - isSubset:
+          path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].securityContext
+          content:
+            allowPrivilegeEscalation: false
+            seccompProfile:
+              type: Unconfined
+            seLinuxOptions:
+              type: control_t
+            capabilities:
+              drop:
+                - ALL
+              add:
+                - DAC_READ_SEARCH
+                - KILL
+                - SETGID
+                - SETUID
+                - SYS_ADMIN
+                - SYS_CHROOT
+                - SYS_PTRACE
+                - SYS_RESOURCE
+
+  - it: Test host.privileged=false with generic cluster_type does not add seLinuxOptions
+    set:
+      host:
+        privileged: false
+      cluster_config:
+        cluster_type: generic
+    asserts:
+      - isSubset:
+          path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].securityContext
+          content:
+            allowPrivilegeEscalation: false
+            seccompProfile:
+              type: Unconfined
+      - isNotSubset:
+          path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].securityContext
+          content:
+            seLinuxOptions:
+              type: control_t
+
   - it: Test user specified priority class
     set:
       host:

charts/shield/tests/host/security_context_test.yaml

@@ -56,6 +56,23 @@ tests:
             runAsNonRoot: false
             runAsUser: 0
 
+  - it: Ensure the securityContext for bottlerocket includes seLinuxOptions
+    set:
+      host:
+        privileged: false
+        driver: universal_ebpf
+      cluster_config:
+        cluster_type: bottlerocket
+    asserts:
+      - isSubset:
+          path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].securityContext
+          content:
+            allowPrivilegeEscalation: false
+            seccompProfile:
+              type: Unconfined
+            seLinuxOptions:
+              type: control_t
+
   - it: Ensure the security_context is honored
     set:
       host:

charts/shield/values.schema.json

@@ -74,7 +74,8 @@
           "description": "Type of Kubernetes cluster",
           "enum": [
             "generic",
-            "gke-autopilot"
+            "gke-autopilot",
+            "bottlerocket"
           ],
           "examples": [
             "generic"

charts/shield/values.yaml

@@ -3,7 +3,7 @@ cluster_config:
   name:
   # The domain of the cluster
   cluster_domain: cluster.local
-  # The type of the cluster (Accepted Values: gke-autopilot, generic)
+  # The type of the cluster (Accepted Values: gke-autopilot, bottlerocket, generic)
   cluster_type: generic
   # The root namespace of the cluster
   root_namespace: kube-system