fix(shield): gate cluster OpenShift SCC privileged fields on run mode#2624
Open
EdwardArchive wants to merge 1 commit into
Open
fix(shield): gate cluster OpenShift SCC privileged fields on run mode#2624EdwardArchive wants to merge 1 commit into
EdwardArchive wants to merge 1 commit into
Conversation
…bs#2620) The cluster SCC unconditionally granted `allowPrivilegeEscalation: true` and `allowPrivilegedContainer: true`, but the cluster-shield container only requests privileged execution when not in single-process mode (see templates/cluster/deployment.yaml). On single-process mode or GKE Autopilot the workload no longer needs privileged or escalation, yet the SCC still permitted them — over-permissive against least-privilege guidance. Gate both fields on `not (cluster.is_single_process_mode .)` so the SCC matches the workload's actual security context. Tests cover all three permutations: default (multi-process), single-process, and GKE Autopilot. Refs: sysdiglabs#2620
Contributor
|
Hi @EdwardArchive. Thanks for your PR. After inspecting your changes someone with write access to this repo needs |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #2620
Summary
The cluster
SecurityContextConstraintstemplate unconditionally granted:…but the cluster-shield container only requests privileged execution when not in single-process mode (see
templates/cluster/deployment.yaml):cluster.is_single_process_modeis true when.Values.cluster.run_mode == "single-process"or when running on GKE Autopilot. In both cases the workload no longer needs privileged or privilege escalation, but the SCC still granted them — over-permissive against least-privilege guidance and a recurring finding in OpenShift security/compliance scans.Changes
templates/cluster/openshift-securitycontextconstraint.yaml— compute$clusterPrivilegedfromnot (cluster.is_single_process_mode .)and use it for bothallowPrivilegeEscalationandallowPrivilegedContainer. The SCC now matches the workload's actual security context.tests/cluster/openshift-securitycontextconstraint_test.yaml— three new helm-unittest cases:true(unchanged behavior)cluster.run_mode: single-process→falsecluster_type: gke-autopilot) →falseChart.yaml— bump to 1.37.2.Behavioral compatibility
The previous behavior is preserved for the default run mode (the common case). Single-process / GKE Autopilot users get a tighter SCC that still satisfies their workload — they would not have been able to use a more permissive SCC for any practical reason.
Test plan
helm unittest --strict -f tests/cluster/openshift-securitycontextconstraint_test.yaml charts/shield→ 8 passedhelm templateagainsttests/values/base.yaml(default / single-process / gke-autopilot) — confirmed expected boolean values.Checklist
fix(shield):)tests/with_testsuffix🤖 Generated with Claude Code