From b57ce58e67a7790b34b5a269f7b8750f22212b47 Mon Sep 17 00:00:00 2001 From: Roberto Scolaro Date: Fri, 24 Oct 2025 10:07:43 +0000 Subject: [PATCH 1/5] fix(shield): set seLinuxOptions to control_t for unprivileged host shield bottlerocket deployment Signed-off-by: Roberto Scolaro --- charts/shield/README.md | 2 +- .../shield/templates/common/_cluster_type.tpl | 6 +++ charts/shield/templates/host/_helpers.tpl | 4 ++ charts/shield/tests/host/daemonset_test.yaml | 47 +++++++++++++++++++ .../tests/host/security_context_test.yaml | 17 +++++++ charts/shield/values.schema.json | 3 +- charts/shield/values.yaml | 2 +- 7 files changed, 78 insertions(+), 3 deletions(-) diff --git a/charts/shield/README.md b/charts/shield/README.md index ce29c8dff..d998f3617 100644 --- a/charts/shield/README.md +++ b/charts/shield/README.md @@ -66,7 +66,7 @@ The following table lists the configurable parameters of the `shield` chart and |-----------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | cluster_config.name | The name of the cluster | | | cluster_config.cluster_domain | The domain of the cluster | cluster.local | -| cluster_config.cluster_type | The type of the cluster (Accepted Values: gke-autopilot, generic) | generic | +| cluster_config.cluster_type | The type of the cluster (Accepted Values: gke-autopilot, bottlerocket, generic) | generic | | cluster_config.root_namespace | The root namespace of the cluster | kube-system | | cluster_config.tags | Tags you want to apply to the metadata sent to the Sysdig Backend. | {} | | sysdig_endpoint.region | The region where the Sysdig Secure instance is located | custom | diff --git a/charts/shield/templates/common/_cluster_type.tpl b/charts/shield/templates/common/_cluster_type.tpl index 596af5dfa..9b6f9a35e 100644 --- a/charts/shield/templates/common/_cluster_type.tpl +++ b/charts/shield/templates/common/_cluster_type.tpl @@ -6,3 +6,9 @@ Proxy Secret Name {{- true -}} {{- end -}} {{- end -}} + +{{- define "common.cluster_type.is_bottlerocket" -}} + {{- if eq "bottlerocket" .Values.cluster_config.cluster_type -}} + {{- true -}} + {{- end -}} +{{- end -}} diff --git a/charts/shield/templates/host/_helpers.tpl b/charts/shield/templates/host/_helpers.tpl index 3e70e0805..062628bef 100644 --- a/charts/shield/templates/host/_helpers.tpl +++ b/charts/shield/templates/host/_helpers.tpl @@ -201,6 +201,10 @@ capabilities: allowPrivilegeEscalation: false seccompProfile: type: Unconfined +{{- if (include "common.cluster_type.is_bottlerocket" .) }} +seLinuxOptions: + type: control_t +{{- end }} capabilities: drop: - ALL diff --git a/charts/shield/tests/host/daemonset_test.yaml b/charts/shield/tests/host/daemonset_test.yaml index 7152f1fe1..bbd7d6a05 100644 --- a/charts/shield/tests/host/daemonset_test.yaml +++ b/charts/shield/tests/host/daemonset_test.yaml @@ -144,6 +144,53 @@ tests: readOnlyRootFilesystem: false allowPrivilegeEscalation: true + - it: Test host.privileged=false with bottlerocket cluster_type adds seLinuxOptions + set: + host: + privileged: false + cluster_config: + cluster_type: bottlerocket + asserts: + - isSubset: + path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].securityContext + content: + allowPrivilegeEscalation: false + seccompProfile: + type: Unconfined + seLinuxOptions: + type: control_t + capabilities: + drop: + - ALL + add: + - DAC_READ_SEARCH + - KILL + - SETGID + - SETUID + - SYS_ADMIN + - SYS_CHROOT + - SYS_PTRACE + - SYS_RESOURCE + + - it: Test host.privileged=false with generic cluster_type does not add seLinuxOptions + set: + host: + privileged: false + cluster_config: + cluster_type: generic + asserts: + - isSubset: + path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].securityContext + content: + allowPrivilegeEscalation: false + seccompProfile: + type: Unconfined + - isNotSubset: + path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].securityContext + content: + seLinuxOptions: + type: control_t + - it: Test user specified priority class set: host: diff --git a/charts/shield/tests/host/security_context_test.yaml b/charts/shield/tests/host/security_context_test.yaml index 7364ead9b..a35141bfb 100644 --- a/charts/shield/tests/host/security_context_test.yaml +++ b/charts/shield/tests/host/security_context_test.yaml @@ -56,6 +56,23 @@ tests: runAsNonRoot: false runAsUser: 0 + - it: Ensure the securityContext for bottlerocket includes seLinuxOptions + set: + host: + privileged: false + driver: universal_ebpf + cluster_config: + cluster_type: bottlerocket + asserts: + - isSubset: + path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].securityContext + content: + allowPrivilegeEscalation: false + seccompProfile: + type: Unconfined + seLinuxOptions: + type: control_t + - it: Ensure the security_context is honored set: host: diff --git a/charts/shield/values.schema.json b/charts/shield/values.schema.json index a1c6d25dc..e91e18aa8 100644 --- a/charts/shield/values.schema.json +++ b/charts/shield/values.schema.json @@ -74,7 +74,8 @@ "description": "Type of Kubernetes cluster", "enum": [ "generic", - "gke-autopilot" + "gke-autopilot", + "bottlerocket" ], "examples": [ "generic" diff --git a/charts/shield/values.yaml b/charts/shield/values.yaml index 1dcf5e180..a610a1439 100644 --- a/charts/shield/values.yaml +++ b/charts/shield/values.yaml @@ -3,7 +3,7 @@ cluster_config: name: # The domain of the cluster cluster_domain: cluster.local - # The type of the cluster (Accepted Values: gke-autopilot, generic) + # The type of the cluster (Accepted Values: gke-autopilot, bottlerocket, generic) cluster_type: generic # The root namespace of the cluster root_namespace: kube-system From a7d4429208ef9c690184c02d781210df462aefba Mon Sep 17 00:00:00 2001 From: Roberto Scolaro Date: Fri, 24 Oct 2025 10:38:48 +0000 Subject: [PATCH 2/5] chore: fix broken tests Signed-off-by: Roberto Scolaro --- charts/shield/tests/cluster/deployment_test.yaml | 2 +- charts/shield/tests/host/daemonset-windows_test.yaml | 2 +- charts/shield/tests/host/daemonset_test.yaml | 2 +- charts/shield/tests/host/secrets_test.yaml | 12 +++++++----- 4 files changed, 10 insertions(+), 8 deletions(-) diff --git a/charts/shield/tests/cluster/deployment_test.yaml b/charts/shield/tests/cluster/deployment_test.yaml index b0a1e572f..bce29f63c 100644 --- a/charts/shield/tests/cluster/deployment_test.yaml +++ b/charts/shield/tests/cluster/deployment_test.yaml @@ -1441,7 +1441,7 @@ tests: - it: Host Alias are not included by default asserts: - - notContains: + - isNull: path: spec.template.spec.hostAliases template: templates/cluster/deployment.yaml diff --git a/charts/shield/tests/host/daemonset-windows_test.yaml b/charts/shield/tests/host/daemonset-windows_test.yaml index 3dbb6e896..6a5493077 100644 --- a/charts/shield/tests/host/daemonset-windows_test.yaml +++ b/charts/shield/tests/host/daemonset-windows_test.yaml @@ -467,7 +467,7 @@ tests: - it: Host Alias are not included by default asserts: - - notContains: + - isNull: path: spec.template.spec.hostAliases - it: Single Host Alias is included if configured diff --git a/charts/shield/tests/host/daemonset_test.yaml b/charts/shield/tests/host/daemonset_test.yaml index bbd7d6a05..c7adfb459 100644 --- a/charts/shield/tests/host/daemonset_test.yaml +++ b/charts/shield/tests/host/daemonset_test.yaml @@ -844,7 +844,7 @@ tests: - it: Host Alias are not included by default asserts: - - notContains: + - isNull: path: spec.template.spec.hostAliases - it: Single Host Alias is included if configured diff --git a/charts/shield/tests/host/secrets_test.yaml b/charts/shield/tests/host/secrets_test.yaml index 15afd102e..2905165b8 100644 --- a/charts/shield/tests/host/secrets_test.yaml +++ b/charts/shield/tests/host/secrets_test.yaml @@ -77,12 +77,13 @@ tests: enabled: true password_existing_secret: existing-secret asserts: - - notExists: + - containsDocument: kind: Secret apiVersion: v1 name: release-name-shield-host-rapid-response namespace: shield-namespace - template: templates/host/secrets.yaml + not: true + template: host/secrets.yaml - equal: path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].env[?(@.name == "PASSWORD")] value: @@ -91,7 +92,7 @@ tests: secretKeyRef: name: existing-secret key: password - template: templates/host/daemonset.yaml + template: templates/host/daemonset.yaml - it: Test Rapid Response using existing secret for password with custom key set: @@ -102,11 +103,12 @@ tests: password_existing_secret: existing-secret password_existing_secret_key: custom-key asserts: - - notExists: + - containsDocument: kind: Secret apiVersion: v1 name: release-name-shield-host-rapid-response namespace: shield-namespace + not: true template: templates/host/secrets.yaml - equal: path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].env[?(@.name == "PASSWORD")] @@ -116,7 +118,7 @@ tests: secretKeyRef: name: existing-secret key: custom-key - template: templates/host/daemonset.yaml + template: templates/host/daemonset.yaml - it: Test Local Forwarder secret is not created when disabled asserts: From 8bed210749ea4dbe34e63e2d90993598feef6175 Mon Sep 17 00:00:00 2001 From: Roberto Scolaro Date: Fri, 24 Oct 2025 13:30:47 +0000 Subject: [PATCH 3/5] fix: address review comments --- charts/shield/templates/host/_helpers.tpl | 2 +- charts/shield/tests/host/daemonset_test.yaml | 4 ++ .../tests/host/security_context_test.yaml | 52 ++++++++++++++++++- 3 files changed, 56 insertions(+), 2 deletions(-) diff --git a/charts/shield/templates/host/_helpers.tpl b/charts/shield/templates/host/_helpers.tpl index 062628bef..db1bd3568 100644 --- a/charts/shield/templates/host/_helpers.tpl +++ b/charts/shield/templates/host/_helpers.tpl @@ -201,7 +201,7 @@ capabilities: allowPrivilegeEscalation: false seccompProfile: type: Unconfined -{{- if (include "common.cluster_type.is_bottlerocket" .) }} +{{- if and (eq (include "host.response_actions_enabled" .) "true") (include "common.cluster_type.is_bottlerocket" .) }} seLinuxOptions: type: control_t {{- end }} diff --git a/charts/shield/tests/host/daemonset_test.yaml b/charts/shield/tests/host/daemonset_test.yaml index c7adfb459..7f9653598 100644 --- a/charts/shield/tests/host/daemonset_test.yaml +++ b/charts/shield/tests/host/daemonset_test.yaml @@ -150,6 +150,10 @@ tests: privileged: false cluster_config: cluster_type: bottlerocket + features: + respond: + response_actions: + enabled: true asserts: - isSubset: path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].securityContext diff --git a/charts/shield/tests/host/security_context_test.yaml b/charts/shield/tests/host/security_context_test.yaml index a35141bfb..9a6e971d4 100644 --- a/charts/shield/tests/host/security_context_test.yaml +++ b/charts/shield/tests/host/security_context_test.yaml @@ -56,13 +56,17 @@ tests: runAsNonRoot: false runAsUser: 0 - - it: Ensure the securityContext for bottlerocket includes seLinuxOptions + - it: Ensure the securityContext for bottlerocket with response_actions includes seLinuxOptions set: host: privileged: false driver: universal_ebpf cluster_config: cluster_type: bottlerocket + features: + respond: + response_actions: + enabled: true asserts: - isSubset: path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].securityContext @@ -73,6 +77,52 @@ tests: seLinuxOptions: type: control_t + - it: Ensure the securityContext for bottlerocket without response_actions does not include seLinuxOptions + set: + host: + privileged: false + driver: universal_ebpf + cluster_config: + cluster_type: bottlerocket + features: + respond: + response_actions: + enabled: false + asserts: + - isSubset: + path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].securityContext + content: + allowPrivilegeEscalation: false + seccompProfile: + type: Unconfined + - isNotSubset: + path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].securityContext + content: + seLinuxOptions: + type: control_t + + - it: Ensure the securityContext for non-bottlerocket with response_actions does not include seLinuxOptions + set: + host: + privileged: false + driver: universal_ebpf + features: + respond: + response_actions: + enabled: true + asserts: + - isSubset: + path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].securityContext + content: + allowPrivilegeEscalation: false + seccompProfile: + type: Unconfined + - isNotSubset: + path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].securityContext + content: + seLinuxOptions: + type: control_t + - it: Ensure the security_context is honored set: host: From 9f75a1f57d8adcc65d27806bf08e50c24ae589b9 Mon Sep 17 00:00:00 2001 From: Roberto Scolaro Date: Thu, 30 Oct 2025 16:05:24 +0000 Subject: [PATCH 4/5] fix: address review comments Signed-off-by: Roberto Scolaro --- charts/shield/README.md | 2 +- .../shield/templates/common/_cluster_type.tpl | 6 -- charts/shield/templates/host/_helpers.tpl | 27 ++++++- charts/shield/tests/host/daemonset_test.yaml | 38 +++++++-- .../tests/host/security_context_test.yaml | 81 +++++++++++++++++-- charts/shield/values.schema.json | 3 +- charts/shield/values.yaml | 2 +- 7 files changed, 135 insertions(+), 24 deletions(-) diff --git a/charts/shield/README.md b/charts/shield/README.md index d998f3617..ce29c8dff 100644 --- a/charts/shield/README.md +++ b/charts/shield/README.md @@ -66,7 +66,7 @@ The following table lists the configurable parameters of the `shield` chart and |-----------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | cluster_config.name | The name of the cluster | | | cluster_config.cluster_domain | The domain of the cluster | cluster.local | -| cluster_config.cluster_type | The type of the cluster (Accepted Values: gke-autopilot, bottlerocket, generic) | generic | +| cluster_config.cluster_type | The type of the cluster (Accepted Values: gke-autopilot, generic) | generic | | cluster_config.root_namespace | The root namespace of the cluster | kube-system | | cluster_config.tags | Tags you want to apply to the metadata sent to the Sysdig Backend. | {} | | sysdig_endpoint.region | The region where the Sysdig Secure instance is located | custom | diff --git a/charts/shield/templates/common/_cluster_type.tpl b/charts/shield/templates/common/_cluster_type.tpl index 9b6f9a35e..596af5dfa 100644 --- a/charts/shield/templates/common/_cluster_type.tpl +++ b/charts/shield/templates/common/_cluster_type.tpl @@ -6,9 +6,3 @@ Proxy Secret Name {{- true -}} {{- end -}} {{- end -}} - -{{- define "common.cluster_type.is_bottlerocket" -}} - {{- if eq "bottlerocket" .Values.cluster_config.cluster_type -}} - {{- true -}} - {{- end -}} -{{- end -}} diff --git a/charts/shield/templates/host/_helpers.tpl b/charts/shield/templates/host/_helpers.tpl index db1bd3568..1a3d68a70 100644 --- a/charts/shield/templates/host/_helpers.tpl +++ b/charts/shield/templates/host/_helpers.tpl @@ -201,7 +201,7 @@ capabilities: allowPrivilegeEscalation: false seccompProfile: type: Unconfined -{{- if and (eq (include "host.response_actions_enabled" .) "true") (include "common.cluster_type.is_bottlerocket" .) }} +{{- if eq (include "host.response_actions_needs_higher_privileges" .) "true" }} seLinuxOptions: type: control_t {{- end }} @@ -245,6 +245,31 @@ true {{- end }} {{- end }} +{{/* + This function checks if response actions that need higher privileges are enabled. + These include: file_acquire, file_quarantine, and get_logs. + Returns true if response_actions is enabled AND at least one of these actions has trigger != "none". +*/}} +{{- define "host.response_actions_needs_higher_privileges" }} +{{- if eq (include "host.response_actions_enabled" .) "true" }} +{{- $feature_respond := dig "respond" (dict) .Values.features }} +{{- $additional_features := dig "features" (dict) .Values.host.additional_settings }} +{{- $additional_respond := dig "respond" (dict) $additional_features }} +{{- $response_actions := dict }} +{{- if hasKey $additional_respond "response_actions" }} + {{- $response_actions = get $additional_respond "response_actions" }} +{{- else if hasKey $feature_respond "response_actions" }} + {{- $response_actions = get $feature_respond "response_actions" }} +{{- end }} +{{- $file_acquire_trigger := dig "file_acquire" "trigger" "all" $response_actions }} +{{- $file_quarantine_trigger := dig "file_quarantine" "trigger" "all" $response_actions }} +{{- $get_logs_trigger := dig "get_logs" "trigger" "all" $response_actions }} +{{- if or (ne $file_acquire_trigger "none") (ne $file_quarantine_trigger "none") (ne $get_logs_trigger "none") }} +{{- true -}} +{{- end }} +{{- end }} +{{- end }} + {{- define "host.rapid_response_password" }} {{- $feature_respond := get .Values.features (include "host.respond_key" .Values.features) }} {{- if (dig "rapid_response" "password" nil $feature_respond) }} diff --git a/charts/shield/tests/host/daemonset_test.yaml b/charts/shield/tests/host/daemonset_test.yaml index 7f9653598..c265e49cb 100644 --- a/charts/shield/tests/host/daemonset_test.yaml +++ b/charts/shield/tests/host/daemonset_test.yaml @@ -144,16 +144,16 @@ tests: readOnlyRootFilesystem: false allowPrivilegeEscalation: true - - it: Test host.privileged=false with bottlerocket cluster_type adds seLinuxOptions + - it: Test host.privileged=false with response_actions needing higher privileges adds seLinuxOptions set: host: privileged: false - cluster_config: - cluster_type: bottlerocket features: respond: response_actions: enabled: true + file_acquire: + trigger: all asserts: - isSubset: path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].securityContext @@ -176,12 +176,20 @@ tests: - SYS_PTRACE - SYS_RESOURCE - - it: Test host.privileged=false with generic cluster_type does not add seLinuxOptions + - it: Test host.privileged=false without higher privilege response_actions does not add seLinuxOptions set: host: privileged: false - cluster_config: - cluster_type: generic + features: + respond: + response_actions: + enabled: true + file_acquire: + trigger: none + file_quarantine: + trigger: none + get_logs: + trigger: none asserts: - isSubset: path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].securityContext @@ -195,6 +203,24 @@ tests: seLinuxOptions: type: control_t + - it: Test host.privileged=false with response_actions defaults to enabled when not specified + set: + host: + privileged: false + features: + respond: + response_actions: + enabled: true + asserts: + - isSubset: + path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].securityContext + content: + allowPrivilegeEscalation: false + seccompProfile: + type: Unconfined + seLinuxOptions: + type: control_t + - it: Test user specified priority class set: host: diff --git a/charts/shield/tests/host/security_context_test.yaml b/charts/shield/tests/host/security_context_test.yaml index 9a6e971d4..d36c753df 100644 --- a/charts/shield/tests/host/security_context_test.yaml +++ b/charts/shield/tests/host/security_context_test.yaml @@ -56,17 +56,17 @@ tests: runAsNonRoot: false runAsUser: 0 - - it: Ensure the securityContext for bottlerocket with response_actions includes seLinuxOptions + - it: Ensure the securityContext with response_actions file_acquire includes seLinuxOptions set: host: privileged: false driver: universal_ebpf - cluster_config: - cluster_type: bottlerocket features: respond: response_actions: enabled: true + file_acquire: + trigger: all asserts: - isSubset: path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].securityContext @@ -77,13 +77,53 @@ tests: seLinuxOptions: type: control_t - - it: Ensure the securityContext for bottlerocket without response_actions does not include seLinuxOptions + - it: Ensure the securityContext with response_actions file_quarantine includes seLinuxOptions + set: + host: + privileged: false + driver: universal_ebpf + features: + respond: + response_actions: + enabled: true + file_quarantine: + trigger: all + asserts: + - isSubset: + path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].securityContext + content: + allowPrivilegeEscalation: false + seccompProfile: + type: Unconfined + seLinuxOptions: + type: control_t + + - it: Ensure the securityContext with response_actions get_logs includes seLinuxOptions + set: + host: + privileged: false + driver: universal_ebpf + features: + respond: + response_actions: + enabled: true + get_logs: + trigger: all + asserts: + - isSubset: + path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].securityContext + content: + allowPrivilegeEscalation: false + seccompProfile: + type: Unconfined + seLinuxOptions: + type: control_t + + - it: Ensure the securityContext without response_actions does not include seLinuxOptions set: host: privileged: false driver: universal_ebpf - cluster_config: - cluster_type: bottlerocket features: respond: response_actions: @@ -101,7 +141,7 @@ tests: seLinuxOptions: type: control_t - - it: Ensure the securityContext for non-bottlerocket with response_actions does not include seLinuxOptions + - it: Ensure the securityContext with response_actions but no higher privilege actions does not include seLinuxOptions set: host: privileged: false @@ -110,6 +150,14 @@ tests: respond: response_actions: enabled: true + file_acquire: + trigger: none + file_quarantine: + trigger: none + get_logs: + trigger: none + kill_process: + trigger: all asserts: - isSubset: path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].securityContext @@ -123,6 +171,25 @@ tests: seLinuxOptions: type: control_t + - it: Ensure the securityContext with response_actions defaults to enabled when actions not specified + set: + host: + privileged: false + driver: universal_ebpf + features: + respond: + response_actions: + enabled: true + asserts: + - isSubset: + path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].securityContext + content: + allowPrivilegeEscalation: false + seccompProfile: + type: Unconfined + seLinuxOptions: + type: control_t + - it: Ensure the security_context is honored set: host: diff --git a/charts/shield/values.schema.json b/charts/shield/values.schema.json index e91e18aa8..a1c6d25dc 100644 --- a/charts/shield/values.schema.json +++ b/charts/shield/values.schema.json @@ -74,8 +74,7 @@ "description": "Type of Kubernetes cluster", "enum": [ "generic", - "gke-autopilot", - "bottlerocket" + "gke-autopilot" ], "examples": [ "generic" diff --git a/charts/shield/values.yaml b/charts/shield/values.yaml index a610a1439..1dcf5e180 100644 --- a/charts/shield/values.yaml +++ b/charts/shield/values.yaml @@ -3,7 +3,7 @@ cluster_config: name: # The domain of the cluster cluster_domain: cluster.local - # The type of the cluster (Accepted Values: gke-autopilot, bottlerocket, generic) + # The type of the cluster (Accepted Values: gke-autopilot, generic) cluster_type: generic # The root namespace of the cluster root_namespace: kube-system From 4b959c8dd4af9de7ecd9a0b6bff9604aa05332a7 Mon Sep 17 00:00:00 2001 From: Roberto Scolaro Date: Thu, 30 Oct 2025 16:07:28 +0000 Subject: [PATCH 5/5] fix: bump chart version Signed-off-by: Roberto Scolaro --- charts/shield/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/shield/Chart.yaml b/charts/shield/Chart.yaml index b7ecbae0f..98cb68c52 100644 --- a/charts/shield/Chart.yaml +++ b/charts/shield/Chart.yaml @@ -13,5 +13,5 @@ maintainers: - name: mavimo email: marcovito.moscaritolo@sysdig.com type: application -version: 1.21.3 +version: 1.21.4 appVersion: "1.0.0"