Merge pull request #306 from slashben/node-agent-capabilties

Removing privileged flag on the node-agent Pod
kubescape · Oct 24, 2023 · 6244621 · 6244621
2 parents 2987c24 + 4b7bef7
commit 6244621
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 2 deletions.
diff --git a/charts/kubescape-operator/templates/node-agent/daemonset.yaml b/charts/kubescape-operator/templates/node-agent/daemonset.yaml
@@ -19,6 +19,8 @@ spec:
       tier: {{ .Values.global.namespaceTier }}
   template:
     metadata:
+      annotations:
+        container.apparmor.security.beta.kubernetes.io/node-agent: unconfined
       labels:
         app.kubernetes.io/name: {{ .Values.nodeAgent.name }}
         app.kubernetes.io/instance: {{ .Release.Name }}
@@ -112,10 +114,18 @@ spec:
             {{- end }}
           securityContext:
             runAsUser: 0
-            privileged: true
+            privileged: {{ .Values.nodeAgent.privileged }}
             capabilities:
               add:
                 - SYS_ADMIN
+                - SYS_PTRACE
+                - BPF
+                - PERFMON
+                - NET_ADMIN
+                - SYSLOG
+                - SYS_RESOURCE
+                - IPC_LOCK
+                - NET_RAW
           volumeMounts:
           - name: {{ .Values.global.cloudConfig }}
             mountPath: /etc/config/clusterData.json

diff --git a/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap b/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap
@@ -1655,6 +1655,8 @@ matches the snapshot:
           tier: ks-control-plane
       template:
         metadata:
+          annotations:
+            container.apparmor.security.beta.kubernetes.io/node-agent: unconfined
           labels:
             alt-name: node-agent
             app: node-agent
@@ -1710,7 +1712,15 @@ matches the snapshot:
                 capabilities:
                   add:
                     - SYS_ADMIN
-                privileged: true
+                    - SYS_PTRACE
+                    - BPF
+                    - PERFMON
+                    - NET_ADMIN
+                    - SYSLOG
+                    - SYS_RESOURCE
+                    - IPC_LOCK
+                    - NET_RAW
+                privileged: false
                 runAsUser: 0
               volumeMounts:
                 - mountPath: /etc/config/clusterData.json

diff --git a/charts/kubescape-operator/values.yaml b/charts/kubescape-operator/values.yaml
@@ -559,6 +559,8 @@ nodeAgent:
         fieldRef:
           fieldPath: spec.nodeName
 
+  privileged: false
+
   volumeMounts:
     - mountPath: /host
       name: host
@@ -596,6 +598,7 @@ nodeAgent:
       name: debugfs
     - emptyDir:
       name: data
+
   affinity:
     nodeAffinity:
       requiredDuringSchedulingIgnoredDuringExecution: