diff --git a/charts/agent/Chart.yaml b/charts/agent/Chart.yaml index 11b262840..85a716df8 100644 --- a/charts/agent/Chart.yaml +++ b/charts/agent/Chart.yaml @@ -30,4 +30,4 @@ sources: - https://app.sysdigcloud.com/#/settings/user - https://github.com/draios/sysdig type: application -version: 1.36.5 +version: 1.36.6 diff --git a/charts/agent/templates/daemonset.yaml b/charts/agent/templates/daemonset.yaml index a1259ae77..daf742603 100644 --- a/charts/agent/templates/daemonset.yaml +++ b/charts/agent/templates/daemonset.yaml @@ -288,6 +288,9 @@ spec: {{- /* Slim = false, Autopilot = false */}} {{- if and (not .Values.slim.enabled) (not (include "agent.gke.autopilot" .)) }} + - mountPath: /host/sys/fs + name: sysfs-vol + readOnly: true - mountPath: /etc/modprobe.d name: modprobe-d readOnly: true @@ -326,6 +329,9 @@ spec: name: vardata-vol - mountPath: /host/var/run name: varrun-vol + - mountPath: /host/sys/fs + name: sysfs-vol + readOnly: true {{- if (include "agent.ebpfEnabled" .) }} - mountPath: /root/.sysdig name: bpf-probes @@ -431,6 +437,9 @@ spec: {{- /* Slim = false, Autopilot = false */}} {{- if and (not .Values.slim.enabled) (not (include "agent.gke.autopilot" .)) }} + - name: sysfs-vol + hostPath: + path: /sys/fs - name: modprobe-d hostPath: path: /etc/modprobe.d @@ -463,6 +472,9 @@ spec: {{- /* Slim = true, Autopilot = false */}} {{- if and (.Values.slim.enabled) (not (include "agent.gke.autopilot" .)) }} + - name: sysfs-vol + hostPath: + path: /sys/fs - name: modprobe-d hostPath: path: /etc/modprobe.d diff --git a/charts/shield/Chart.yaml b/charts/shield/Chart.yaml index 190a88a57..caf709580 100644 --- a/charts/shield/Chart.yaml +++ b/charts/shield/Chart.yaml @@ -13,5 +13,5 @@ maintainers: - name: mavimo email: marcovito.moscaritolo@sysdig.com type: application -version: 1.3.3 +version: 1.3.4 appVersion: "1.0.0" diff --git a/charts/shield/templates/host/_helpers.tpl b/charts/shield/templates/host/_helpers.tpl index 25db48890..c7eccb440 100644 --- a/charts/shield/templates/host/_helpers.tpl +++ b/charts/shield/templates/host/_helpers.tpl @@ -136,7 +136,7 @@ true {{- end }} {{- define "host.need_host_root" }} -{{- if or .Values.features.posture.host_posture.enabled .Values.features.vulnerability_management.host_vulnerability_management.enabled }} +{{- if or (eq (include "host.response_actions_enabled" .) "true") .Values.features.posture.host_posture.enabled .Values.features.vulnerability_management.host_vulnerability_management.enabled }} {{- true -}} {{- end }} {{- end }} @@ -214,6 +214,22 @@ true {{- end }} {{- end }} +{{/* + This function checks if the response_actions feature is enabled for the host. + It first checks the additional_settings and then the features. + If neither is found, it defaults to false. +*/}} +{{- define "host.response_actions_enabled" }} +{{- $feature_respond := dig (include "host.respond_key" .Values.features) (dict) .Values.features }} +{{- $additional_features := dig "features" (dict) .Values.host.additional_settings }} +{{- $additional_respond := dig (include "host.respond_key" $additional_features) (dict) $additional_features }} +{{- if hasKey $additional_respond "response_actions" }} +{{- dig "response_actions" "enabled" false $additional_respond -}} +{{- else if hasKey $feature_respond "response_actions" }} +{{- dig "response_actions" "enabled" false $feature_respond -}} +{{- end }} +{{- end }} + {{- define "host.monitor_key" }} {{- if hasKey . "monitoring" }} {{- print "monitoring" }} diff --git a/charts/shield/tests/host/daemonset_test.yaml b/charts/shield/tests/host/daemonset_test.yaml index d6f36b2cc..7c0a95fbc 100644 --- a/charts/shield/tests/host/daemonset_test.yaml +++ b/charts/shield/tests/host/daemonset_test.yaml @@ -248,6 +248,80 @@ tests: - notExists: path: spec.template.spec.volumes[?(@.name == "host-tmp")] + - it: Host root mounted when response_actions is enabled (additional_settings) + set: + host: + additional_settings: + features: + respond: + response_actions: + enabled: true + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: host-root + hostPath: + path: / + - contains: + path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].volumeMounts + content: + name: host-root + mountPath: /host + readOnly: true + - notExists: + path: spec.template.spec.volumes[?(@.name == "host-tmp")] + + - it: Host root mounted when response_actions is enabled (features) + set: + features: + respond: + response_actions: + enabled: true + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: host-root + hostPath: + path: / + - contains: + path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].volumeMounts + content: + name: host-root + mountPath: /host + readOnly: true + - notExists: + path: spec.template.spec.volumes[?(@.name == "host-tmp")] + + - it: Host root mounted when response_actions is enabled (only on additional_settings) + set: + features: + respond: + response_actions: + enabled: false + host: + additional_settings: + features: + respond: + response_actions: + enabled: true + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: host-root + hostPath: + path: / + - contains: + path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].volumeMounts + content: + name: host-root + mountPath: /host + readOnly: true + - notExists: + path: spec.template.spec.volumes[?(@.name == "host-tmp")] + - it: Host root mounted when host scanner is enabled set: features: diff --git a/charts/sysdig-deploy/Chart.yaml b/charts/sysdig-deploy/Chart.yaml index 089637423..364dc0c9a 100644 --- a/charts/sysdig-deploy/Chart.yaml +++ b/charts/sysdig-deploy/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: sysdig-deploy description: A chart with various Sysdig components for Kubernetes type: application -version: 1.80.2 +version: 1.80.3 maintainers: - name: AlbertoBarba email: alberto.barba@sysdig.com @@ -26,7 +26,7 @@ dependencies: - name: agent # repository: https://charts.sysdig.com repository: file://../agent - version: ~1.36.5 + version: ~1.36.6 alias: agent condition: agent.enabled - name: common