fix(shield): gate host OpenShift SCC privileged fields on .Values.host.privileged#2625
Open
EdwardArchive wants to merge 1 commit into
Open
fix(shield): gate host OpenShift SCC privileged fields on .Values.host.privileged#2625EdwardArchive wants to merge 1 commit into
EdwardArchive wants to merge 1 commit into
Conversation
…ed (sysdiglabs#2621) The host SCC unconditionally granted `allowPrivilegeEscalation: true` and `allowPrivilegedContainer: true`, while the daemonset's pod security context (`host.security_context` in _helpers.tpl) already sets `allowPrivilegeEscalation: false` and drops to a curated capability set when `.Values.host.privileged` is false. The same SCC file was already partially aware of `host.privileged` for `allowedCapabilities`, so users running Universal eBPF in non-privileged mode got an over-permissive SCC that defeated the security benefit of the unprivileged driver. Gate both fields on `.Values.host.privileged`, mirroring the daemonset. Tests cover both privileged and unprivileged paths. Refs: sysdiglabs#2621
Contributor
|
Hi @EdwardArchive. Thanks for your PR. After inspecting your changes someone with write access to this repo needs |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #2621
Summary
The host
SecurityContextConstraintsunconditionally granted:…even though the daemonset's pod security context (
host.security_contextintemplates/host/_helpers.tpl) already setsallowPrivilegeEscalation: falseand drops to a curated capability set when.Values.host.privilegedis false:The same SCC file was already partially aware of
host.privilegedforallowedCapabilities, butallowPrivilegeEscalation/allowPrivilegedContainerremained hardcoded. As a result, users running Universal eBPF in non-privileged mode received an over-permissive SCC, defeating the security benefit of choosing the non-privileged driver.Changes
templates/host/openshift-securitycontextconstraint.yaml— render both fields from.Values.host.privileged, mirroring the daemonset.tests/host/openshift-securitycontextconstraint_test.yaml— two new helm-unittest cases (privileged true → bothtrue; privileged false + universal_ebpf → bothfalse).Chart.yaml— bump to 1.37.2.Behavioral compatibility
Default values keep
host.privileged: true, so the rendered SCC for the default install is identical. Only users who have deliberately switched to non-privileged Universal eBPF mode see a tighter SCC — which is what they were already trying to achieve at the daemonset level.Test plan
helm unittest --strict -f tests/host/openshift-securitycontextconstraint_test.yaml charts/shield→ 11 passedhelm templateprivileged →allowPrivilegeEscalation: true,allowPrivilegedContainer: truehelm template host.privileged=false host.driver=universal_ebpf→ bothfalse, capabilities set drops toDAC_READ_SEARCH … SYS_RESOURCEChecklist
fix(shield):)tests/with_testsuffix🤖 Generated with Claude Code