feat(shield): unprivileged host-shield support for CIS benchmark checks#2591
Open
francesco-furlan wants to merge 7 commits intomainfrom
Open
feat(shield): unprivileged host-shield support for CIS benchmark checks#2591francesco-furlan wants to merge 7 commits intomainfrom
francesco-furlan wants to merge 7 commits intomainfrom
Conversation
When host.privileged=false on OpenShift, CIS benchmark scans fail on audit rule queries (auditctl) and firewall inspection (iptables/nftables) because the container lacks the required kernel capabilities. Grant AUDIT_READ and NET_ADMIN automatically when Host Posture or Host Vulnerability Management is enabled, and drop the "must be privileged" wording from the values.yaml comment (no validation ever enforced it).
# Conflicts: # charts/shield/Chart.yaml
…checks Grants the additional permissions required by the KSPM analyzer to run Kubernetes & OpenShift CIS benchmark checks against the control plane. Without these rules ~12 checks fail with "Forbidden" errors. New rules are appended to templates/host/clusterrole.yaml and gated behind the same feature flags already used in this branch for the AUDIT_READ/NET_ADMIN capability additions: features.posture.host_posture.enabled OR features.vulnerability_management.host_vulnerability_management.enabled Generic Kubernetes rules (clusterrolebindings list, flowschemas get/list, secrets get, pods/exec create) render on any cluster under the posture/VM gate. OpenShift-specific rules (security.openshift.io/scc, operator.openshift.io/kubeapiservers, config.openshift.io/oauths etc.) additionally require OpenShift detection. OpenShift detection is factored into a new common.is_openshift helper in templates/common/_helpers.tpl. It probes security.openshift.io/v1 — the same marker the existing OpenShift SCC templates use and the example documented in values.yaml — and honours extra_capabilities_api_versions for off-cluster rendering (ArgoCD server-side apply). Adds tests/host/clusterrole_test.yaml covering: - default (no posture/VM) → no new rules - posture enabled → 4 generic rules - VM-only enabled → same generic rules - OpenShift API detected + posture → generic + 3 OpenShift rule blocks - extra_capabilities_api_versions fallback for OpenShift detection - OpenShift detected but posture/VM disabled → no new rules - labels/annotations propagation sanity check
francesco-furlan
force-pushed
the
shield-host-unprivileged-caps
branch
from
13b0d39 to
15b7a8d
Compare
AUDIT_READ/NET_ADMIN and the control-plane RBAC rules (clusterrolebindings, flowschemas, secrets, pods/exec, plus the OpenShift SCC/operator/config rules) were previously gated on Host Posture OR Host Vulnerability Management enabled. Only KSPM/CIS benchmark checks need them — VM scans the host filesystem via /host and does not call control-plane APIs or query the kernel audit subsystem. Narrow the gate to Host Posture only so VM-only deployments stay least-privileged.
francesco-furlan
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When running the host shield in unprivileged mode (
host.privileged=false), KSPM Kubernetes & OpenShift CIS benchmark checks produce ~28 additional failures versus privileged mode. The failures fall in two categories:Missing Linux capabilities on the host-shield container
auditctl -l(Audit Log checks) fails withOperation not permitted— requiresCAP_AUDIT_READiptables/nftables(firewall checks) fails withyou must be root— requiresCAP_NET_ADMINMissing control-plane permissions on the host-shield ServiceAccount
Forbiddenwhen the KSPM analyzer queriesclusterrolebindings,flowschemas,secrets, or runspods/execsecuritycontextconstraints,kubeapiservers, and theconfig.openshift.iogroup (oauths,apiservers,networks,images)Both categories are only exercised by Host Posture (KSPM); Host Vulnerability Management scans the filesystem via
/hostand does not need them. The gate is thereforefeatures.posture.host_posture.enabledonly, so VM-only deployments stay least-privileged.Changes
templates/host/_helpers.tpl— appendAUDIT_READandNET_ADMINto the non-privileged capability set when host posture is enabled.templates/host/clusterrole.yaml— append the generic Kubernetes rules (clusterrolebindings/list,flowschemas/get,list,secrets/get,pods/exec/create) plus the OpenShift-specific block, both gated on host posture.templates/common/_helpers.tpl— newcommon.is_openshifthelper. Probessecurity.openshift.io/v1(the same marker the existing SCC templates use) and honoursextra_capabilities_api_versionsfor off-cluster rendering (e.g. ArgoCD server-side apply).values.yaml/README.md— updatedhost.privilegedcomment to note that the required capabilities are granted automatically when disabled.Chart.yaml— version bumped to1.35.0.tests/host/clusterrole_test.yaml— 7 cases covering default (no rules), posture-only, VM-only (no new rules), OpenShift+posture,extra_capabilities_api_versionsfallback, OpenShift but posture disabled, and labels/annotations propagation.tests/host/security_context_test.yaml— posture-on addsAUDIT_READ/NET_ADMIN; posture-off and VM-only do not.Checklist
feat(agent,node-analyzer,sysdig-deploy):)