chore(agent,sysdig-deploy,shield): add /sys/fs mount (#2223)

Co-authored-by: José Antonio Calvo <[email protected]>

Author: francesco-furlan

charts/agent/Chart.yaml

@@ -30,4 +30,4 @@ sources:
 - https://app.sysdigcloud.com/#/settings/user
 - https://github.com/draios/sysdig
 type: application
-version: 1.36.5
+version: 1.36.6

charts/agent/templates/daemonset.yaml

@@ -288,6 +288,9 @@ spec:
 
           {{- /* Slim = false, Autopilot = false */}}
           {{- if and (not .Values.slim.enabled) (not (include "agent.gke.autopilot" .)) }}
+            - mountPath: /host/sys/fs
+              name: sysfs-vol
+              readOnly: true
             - mountPath: /etc/modprobe.d
               name: modprobe-d
               readOnly: true
@@ -326,6 +329,9 @@ spec:
               name: vardata-vol
             - mountPath: /host/var/run
               name: varrun-vol
+            - mountPath: /host/sys/fs
+              name: sysfs-vol
+              readOnly: true
             {{- if (include "agent.ebpfEnabled" .) }}
             - mountPath: /root/.sysdig
               name: bpf-probes
@@ -431,6 +437,9 @@ spec:
 
       {{- /* Slim = false, Autopilot = false */}}
       {{- if and (not .Values.slim.enabled) (not (include "agent.gke.autopilot" .)) }}
+        - name: sysfs-vol
+          hostPath:
+            path: /sys/fs
         - name: modprobe-d
           hostPath:
             path: /etc/modprobe.d
@@ -463,6 +472,9 @@ spec:
 
       {{- /* Slim = true, Autopilot = false */}}
       {{- if and (.Values.slim.enabled) (not (include "agent.gke.autopilot" .)) }}
+        - name: sysfs-vol
+          hostPath:
+            path: /sys/fs
         - name: modprobe-d
           hostPath:
             path: /etc/modprobe.d

charts/shield/Chart.yaml

@@ -13,5 +13,5 @@ maintainers:
   - name: mavimo
     email: [email protected]
 type: application
-version: 1.3.3
+version: 1.3.4
 appVersion: "1.0.0"

charts/shield/templates/host/_helpers.tpl

@@ -136,7 +136,7 @@ true
 {{- end }}
 
 {{- define "host.need_host_root" }}
-{{- if or .Values.features.posture.host_posture.enabled .Values.features.vulnerability_management.host_vulnerability_management.enabled }}
+{{- if or (eq (include "host.response_actions_enabled" .) "true") .Values.features.posture.host_posture.enabled .Values.features.vulnerability_management.host_vulnerability_management.enabled }}
 {{- true -}}
 {{- end }}
 {{- end }}
@@ -214,6 +214,22 @@ true
 {{- end }}
 {{- end }}
 
+{{/*
+  This function checks if the response_actions feature is enabled for the host.
+  It first checks the additional_settings and then the features.
+  If neither is found, it defaults to false.
+*/}}
+{{- define "host.response_actions_enabled" }}
+{{- $feature_respond := dig (include "host.respond_key" .Values.features) (dict) .Values.features }}
+{{- $additional_features := dig "features" (dict) .Values.host.additional_settings }}
+{{- $additional_respond := dig (include "host.respond_key" $additional_features) (dict) $additional_features }}
+{{- if hasKey $additional_respond "response_actions" }}
+{{- dig "response_actions" "enabled" false $additional_respond -}}
+{{- else if hasKey $feature_respond "response_actions" }}
+{{- dig "response_actions" "enabled" false $feature_respond -}}
+{{- end }}
+{{- end }}
+
 {{- define "host.monitor_key" }}
 {{- if hasKey . "monitoring" }}
 {{- print "monitoring" }}

charts/shield/tests/host/daemonset_test.yaml

@@ -248,6 +248,80 @@ tests:
       - notExists:
           path: spec.template.spec.volumes[?(@.name == "host-tmp")]
 
+  - it: Host root mounted when response_actions is enabled (additional_settings)
+    set:
+      host:
+        additional_settings:
+          features:
+            respond:
+              response_actions:
+                enabled: true
+    asserts:
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: host-root
+            hostPath:
+              path: /
+      - contains:
+          path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].volumeMounts
+          content:
+            name: host-root
+            mountPath: /host
+            readOnly: true
+      - notExists:
+          path: spec.template.spec.volumes[?(@.name == "host-tmp")]
+
+  - it: Host root mounted when response_actions is enabled (features)
+    set:
+      features:
+        respond:
+          response_actions:
+            enabled: true
+    asserts:
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: host-root
+            hostPath:
+              path: /
+      - contains:
+          path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].volumeMounts
+          content:
+            name: host-root
+            mountPath: /host
+            readOnly: true
+      - notExists:
+          path: spec.template.spec.volumes[?(@.name == "host-tmp")]
+
+  - it: Host root mounted when response_actions is enabled (only on additional_settings)
+    set:
+      features:
+        respond:
+          response_actions:
+            enabled: false
+      host:
+        additional_settings:
+          features:
+            respond:
+              response_actions:
+                enabled: true
+    asserts:
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: host-root
+            hostPath:
+              path: /
+      - contains:
+          path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].volumeMounts
+          content:
+            name: host-root
+            mountPath: /host
+            readOnly: true
+      - notExists:
+          path: spec.template.spec.volumes[?(@.name == "host-tmp")]
+
   - it: Host root mounted when host scanner is enabled
     set:
       features:

charts/sysdig-deploy/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: sysdig-deploy
 description: A chart with various Sysdig components for Kubernetes
 type: application
-version: 1.80.2
+version: 1.80.3
 maintainers:
   - name: AlbertoBarba
     email: [email protected]
@@ -26,7 +26,7 @@ dependencies:
   - name: agent
     # repository: https://charts.sysdig.com
     repository: file://../agent
-    version: ~1.36.5
+    version: ~1.36.6
     alias: agent
     condition: agent.enabled
   - name: common