Commit 476a03c
fix: don't set Privileged when AllowPrivilegeEscalation is false for skills (#1551)
## Problem
When an `Agent` spec includes a container `securityContext` with
`allowPrivilegeEscalation: false` (PSS Restricted profile) **and** the
agent
has `spec.skills.refs` configured, the controller generates an invalid
pod spec:
```
cannot set allowPrivilegeEscalation to false and privileged to true
```
Kubernetes rejects this combination at admission time, leaving the agent
stuck
in a reconciliation loop with all pods failing to start.
## Root cause
`buildManifest()` sets `needSandbox = true` when skills are present
(because
skills use `BashTool` which calls `srt` → bubblewrap for sandboxing),
then
blindly sets `Privileged: true` on whatever `securityContext` is
provided —
including one that already has `AllowPrivilegeEscalation: false`.
The securityContext merge did not check for this conflict before setting
`Privileged: true`.
## Fix
Add a helper `allowPrivilegeEscalationExplicitlyFalse()` that detects
when the
user has opted out of privilege escalation, and skip `Privileged: true`
in
that case.
When `Privileged` is withheld, `srt` degrades gracefully: on modern
kernels
(EKS, GKE, AL2023 ≥ 5.10) that have unprivileged user namespaces enabled
(`user.max_user_namespaces > 0`), bubblewrap can still create sandboxes
using
`clone(CLONE_NEWUSER)` without requiring a privileged seccomp profile.
> **Note on seccomp**: The containerd `RuntimeDefault` seccomp profile
blocks
> `clone(CLONE_NEWUSER)` without `CAP_SYS_ADMIN`. Users who need full
bwrap
> sandbox execution (running bash scripts inside skills) must
additionally
> provide a custom `seccompProfile: Localhost` with a profile that
allows
> user namespace syscalls. This PR makes agent deployment possible for
> PSS-Restricted namespaces; the seccomp tuning is an operational
concern
> separate from this bug.
## Behaviour matrix
| Agent spec | needSandbox | Result |
|---|---|---|
| skills or executeCode, **no** custom securityContext | `true` |
`Privileged: true` — full bwrap sandbox (unchanged) |
| skills + `allowPrivilegeEscalation: false` | `true` | No `Privileged`
— srt uses user-namespace mode |
| executeCode + `allowPrivilegeEscalation: false` | `true` | No
`Privileged` — srt uses user-namespace mode |
| No skills, no executeCode | `false` | No securityContext created
(unchanged) |
## Changes
### `go/core/internal/controller/translator/agent/adk_api_translator.go`
- Add comment explaining *why* `needSandbox = true` for skills (BashTool
→ srt → bwrap)
- Fix securityContext merge: guard `Privileged: true` with
`allowPrivilegeEscalationExplicitlyFalse()`
- Add `allowPrivilegeEscalationExplicitlyFalse()` helper
###
`go/core/internal/controller/translator/agent/security_context_test.go`
- Replace `TestSecurityContext_WithSandbox` (which tested an internally
contradictory state) with two focused tests:
- `TestSecurityContext_SkillsDefaultPrivilegedSandbox`: no custom
securityContext → `Privileged: true` (default sandbox path)
- `TestSecurityContext_SkillsPSSRestricted`: `allowPrivilegeEscalation:
false`
→ no `Privileged`, original securityContext fields preserved intact
## Testing
```bash
cd go
go test -race -skip 'TestE2E.*' -v ./core/internal/controller/translator/agent/...
```
All existing tests pass. Two new tests cover both code paths.
## Related
- PSS Restricted policy:
https://kubernetes.io/docs/concepts/security/pod-security-standards/
- Bubblewrap user namespaces:
https://github.com/containers/bubblewrap#usage
Signed-off-by: skhedim <sebastien.khedim@gmail.com>
Co-authored-by: Eitan Yarmush <eitan.yarmush@solo.io>1 parent 213be60 commit 476a03c
2 files changed
Lines changed: 106 additions & 9 deletions
Lines changed: 19 additions & 3 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
452 | 452 | | |
453 | 453 | | |
454 | 454 | | |
| 455 | + | |
| 456 | + | |
| 457 | + | |
| 458 | + | |
455 | 459 | | |
456 | 460 | | |
457 | 461 | | |
| |||
515 | 519 | | |
516 | 520 | | |
517 | 521 | | |
518 | | - | |
519 | | - | |
| 522 | + | |
| 523 | + | |
| 524 | + | |
| 525 | + | |
| 526 | + | |
| 527 | + | |
520 | 528 | | |
521 | 529 | | |
522 | 530 | | |
523 | | - | |
| 531 | + | |
524 | 532 | | |
525 | 533 | | |
526 | 534 | | |
| |||
1800 | 1808 | | |
1801 | 1809 | | |
1802 | 1810 | | |
| 1811 | + | |
| 1812 | + | |
| 1813 | + | |
| 1814 | + | |
| 1815 | + | |
| 1816 | + | |
| 1817 | + | |
| 1818 | + | |
Lines changed: 87 additions & 6 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
275 | 275 | | |
276 | 276 | | |
277 | 277 | | |
278 | | - | |
| 278 | + | |
| 279 | + | |
| 280 | + | |
| 281 | + | |
| 282 | + | |
| 283 | + | |
| 284 | + | |
| 285 | + | |
| 286 | + | |
| 287 | + | |
| 288 | + | |
| 289 | + | |
| 290 | + | |
| 291 | + | |
| 292 | + | |
| 293 | + | |
| 294 | + | |
| 295 | + | |
| 296 | + | |
| 297 | + | |
| 298 | + | |
| 299 | + | |
| 300 | + | |
| 301 | + | |
| 302 | + | |
| 303 | + | |
| 304 | + | |
| 305 | + | |
| 306 | + | |
| 307 | + | |
| 308 | + | |
| 309 | + | |
| 310 | + | |
| 311 | + | |
| 312 | + | |
| 313 | + | |
| 314 | + | |
| 315 | + | |
| 316 | + | |
| 317 | + | |
| 318 | + | |
| 319 | + | |
| 320 | + | |
| 321 | + | |
| 322 | + | |
| 323 | + | |
| 324 | + | |
| 325 | + | |
| 326 | + | |
| 327 | + | |
| 328 | + | |
| 329 | + | |
| 330 | + | |
| 331 | + | |
| 332 | + | |
| 333 | + | |
| 334 | + | |
| 335 | + | |
| 336 | + | |
| 337 | + | |
| 338 | + | |
| 339 | + | |
| 340 | + | |
| 341 | + | |
| 342 | + | |
| 343 | + | |
| 344 | + | |
| 345 | + | |
| 346 | + | |
| 347 | + | |
| 348 | + | |
| 349 | + | |
| 350 | + | |
| 351 | + | |
| 352 | + | |
| 353 | + | |
| 354 | + | |
279 | 355 | | |
280 | 356 | | |
281 | 357 | | |
| |||
294 | 370 | | |
295 | 371 | | |
296 | 372 | | |
297 | | - | |
298 | | - | |
| 373 | + | |
| 374 | + | |
| 375 | + | |
| 376 | + | |
| 377 | + | |
| 378 | + | |
299 | 379 | | |
300 | 380 | | |
301 | 381 | | |
| |||
342 | 422 | | |
343 | 423 | | |
344 | 424 | | |
345 | | - | |
346 | 425 | | |
347 | 426 | | |
348 | | - | |
349 | | - | |
| 427 | + | |
| 428 | + | |
| 429 | + | |
| 430 | + | |
350 | 431 | | |
0 commit comments