diff --git a/charts/shield/Chart.yaml b/charts/shield/Chart.yaml
index 49221b8d9..b5609f866 100644
--- a/charts/shield/Chart.yaml
+++ b/charts/shield/Chart.yaml
@@ -13,5 +13,5 @@ maintainers:
- name: mavimo
email: marcovito.moscaritolo@sysdig.com
type: application
-version: 1.37.1
+version: 1.37.2
appVersion: "1.0.0"
diff --git a/charts/shield/README.md b/charts/shield/README.md
index e157a66d0..08a252df8 100644
--- a/charts/shield/README.md
+++ b/charts/shield/README.md
@@ -307,3 +307,5 @@ The following table lists the configurable parameters of the `shield` chart and
| gke_autopilot.allowlist_waiter.resources.limits.memory | The memory limit for the allowlist waiter Job | 128Mi |
| gke_autopilot.allowlist_waiter.resources.requests.cpu | The CPU request for the allowlist waiter Job | 50m |
| gke_autopilot.allowlist_waiter.resources.requests.memory | The memory request for the allowlist waiter Job | 64Mi |
+| gke_autopilot.allowlist_waiter.pod_security_context | Pod-level securityContext for the waiter Job. Defaults satisfy the Kubernetes PodSecurity "restricted" profile and OpenShift "restricted-v2" SCC. | {"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}} |
+| gke_autopilot.allowlist_waiter.security_context | Container-level securityContext for the waiter Job. The wait-for-allowlist container only runs `kubectl wait`, so root, escalation, and capabilities are not required. | {"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true} |
diff --git a/charts/shield/templates/host/gke-allowlist-waiter-job.yaml b/charts/shield/templates/host/gke-allowlist-waiter-job.yaml
index 968951752..96a6e18d2 100644
--- a/charts/shield/templates/host/gke-allowlist-waiter-job.yaml
+++ b/charts/shield/templates/host/gke-allowlist-waiter-job.yaml
@@ -23,6 +23,8 @@ spec:
spec:
restartPolicy: OnFailure
serviceAccountName: {{ include "host.allowlist_waiter.service_account_name" . }}
+ securityContext:
+ {{- toYaml .Values.gke_autopilot.allowlist_waiter.pod_security_context | nindent 8 }}
{{- with .Values.gke_autopilot.allowlist_waiter.image.pull_secrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
@@ -31,6 +33,8 @@ spec:
- name: wait-for-allowlist
image: {{ include "host.allowlist_waiter.image" . | replace " " "" }}
imagePullPolicy: {{ .Values.gke_autopilot.allowlist_waiter.image.pull_policy }}
+ securityContext:
+ {{- toYaml .Values.gke_autopilot.allowlist_waiter.security_context | nindent 12 }}
command:
- /bin/bash
- -c
diff --git a/charts/shield/tests/host/gke-allowlist-waiter-job_test.yaml b/charts/shield/tests/host/gke-allowlist-waiter-job_test.yaml
new file mode 100644
index 000000000..9a0dedbd7
--- /dev/null
+++ b/charts/shield/tests/host/gke-allowlist-waiter-job_test.yaml
@@ -0,0 +1,114 @@
+suite: Host - GKE Allowlist Waiter Job
+templates:
+ - templates/host/gke-allowlist-waiter-job.yaml
+release:
+ name: release-name
+ namespace: shield-namespace
+values:
+ - ../values/gke-autopilot.yaml
+tests:
+ - it: Doesn't render when allowlist_waiter is disabled (default)
+ asserts:
+ - hasDocuments:
+ count: 0
+
+ - it: Renders the Job when allowlist_waiter is enabled
+ set:
+ gke_autopilot:
+ allowlist_waiter:
+ enabled: true
+ asserts:
+ - hasDocuments:
+ count: 1
+ - containsDocument:
+ kind: Job
+ apiVersion: batch/v1
+ name: release-name-shield-host-allowlist-waiter
+
+ - it: Job has PSA Restricted compatible pod securityContext by default
+ set:
+ gke_autopilot:
+ allowlist_waiter:
+ enabled: true
+ asserts:
+ - equal:
+ path: spec.template.spec.securityContext.runAsNonRoot
+ value: true
+ - equal:
+ path: spec.template.spec.securityContext.runAsUser
+ value: 65532
+ - equal:
+ path: spec.template.spec.securityContext.runAsGroup
+ value: 65532
+ - equal:
+ path: spec.template.spec.securityContext.seccompProfile.type
+ value: RuntimeDefault
+
+ - it: Container has PSA Restricted compatible securityContext by default
+ set:
+ gke_autopilot:
+ allowlist_waiter:
+ enabled: true
+ asserts:
+ - equal:
+ path: spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation
+ value: false
+ - equal:
+ path: spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem
+ value: true
+ - equal:
+ path: spec.template.spec.containers[0].securityContext.capabilities.drop
+ value:
+ - ALL
+
+ - it: Pod securityContext is overridable via values
+ set:
+ gke_autopilot:
+ allowlist_waiter:
+ enabled: true
+ pod_security_context:
+ runAsNonRoot: true
+ runAsUser: 1000
+ fsGroup: 1000
+ asserts:
+ - equal:
+ path: spec.template.spec.securityContext.runAsUser
+ value: 1000
+ - equal:
+ path: spec.template.spec.securityContext.fsGroup
+ value: 1000
+
+ - it: Container securityContext is overridable via values
+ set:
+ gke_autopilot:
+ allowlist_waiter:
+ enabled: true
+ security_context:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: false
+ capabilities:
+ drop:
+ - ALL
+ add:
+ - NET_BIND_SERVICE
+ asserts:
+ - equal:
+ path: spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem
+ value: false
+ - equal:
+ path: spec.template.spec.containers[0].securityContext.capabilities.add
+ value:
+ - NET_BIND_SERVICE
+
+ - it: Job pre-install hook annotations are preserved
+ set:
+ gke_autopilot:
+ allowlist_waiter:
+ enabled: true
+ asserts:
+ - equal:
+ path: metadata.annotations["helm.sh/hook"]
+ value: pre-install,pre-upgrade
+ - equal:
+ path: metadata.annotations["helm.sh/hook-weight"]
+ value: "5"
diff --git a/charts/shield/values.yaml b/charts/shield/values.yaml
index b51203d0b..3fda89d24 100644
--- a/charts/shield/values.yaml
+++ b/charts/shield/values.yaml
@@ -684,3 +684,21 @@ gke_autopilot:
cpu: 50m
# The memory request for the allowlist waiter Job
memory: 64Mi
+ # Pod-level securityContext for the waiter Job. Defaults satisfy the
+ # Kubernetes PodSecurity "restricted" profile and OpenShift "restricted-v2"
+ # SCC so the pre-install hook is admitted on hardened clusters.
+ pod_security_context:
+ runAsNonRoot: true
+ runAsUser: 65532
+ runAsGroup: 65532
+ seccompProfile:
+ type: RuntimeDefault
+ # Container-level securityContext for the waiter Job. The wait-for-allowlist
+ # container only runs `kubectl wait`, so root, escalation, and capabilities
+ # are not required.
+ security_context:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
+ capabilities:
+ drop:
+ - ALL