DEV-8116-censor-docker-image-hardening (#34)

mikifarber101 · dotanalter · web-flow · commit 6539ba04663c · 2025-03-05T14:02:33.000+02:00
* change helm chart

* change agent version to 1.0.0

* Update Chart.yaml

---------

Co-authored-by: Dotan Alter &lt;43717802+dotanalter@users.noreply.github.com&gt;
diff --git a/charts/streamsec-agent/Chart.yaml b/charts/streamsec-agent/Chart.yaml
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.1.5
+version: 1.1.6
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
@@ -27,4 +27,4 @@ dependencies:
   - name: tetragon
     condition: streamsec.runtime_agent.enabled
     version: 1.3.0
-    repository: "https://helm.cilium.io"
+    repository: "https://helm.cilium.io"
diff --git a/charts/streamsec-agent/templates/runtime_agent_ds.yaml b/charts/streamsec-agent/templates/runtime_agent_ds.yaml
@@ -26,6 +26,10 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      securityContext:
+        runAsUser: 0
+        fsGroup: 65534
+        runAsNonRoot: false
       containers:
         - name: runtime-agent
           image: {{ template "streamsec.runtime-agent-image-path" $}}
@@ -53,17 +57,25 @@ spec:
                   name: {{ template "streamsec.apiTokenSecretName" $ }}
                   key: api-key
           securityContext:
-            privileged: true
+            privileged: false
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            capabilities:
+              drop:
+                - ALL
+              add:
+                - BPF
+                - NET_RAW
+                - SYS_RESOURCE
           terminationMessagePolicy: FallbackToLogsOnError
           volumeMounts:
             - mountPath: /sys/kernel
               name: sys-kernel
+              readOnly: true
             - mountPath: {{ .Values.streamsec.runtime_agent.tetragonFilePath }}
               name: export-logs
+              readOnly: true
       dnsPolicy: {{ .Values.dnsPolicy }}
-      hostNetwork: true
-      hostPID: true
-      hostIPC: true
       {{- with .Values.streamsec.runtime_agent.priorityClassName }}
       priorityClassName: "{{ . }}"
       {{- end }}
diff --git a/charts/streamsec-agent/values.yaml b/charts/streamsec-agent/values.yaml
@@ -204,7 +204,7 @@ streamsec:
     updateStrategy: {}
     image:
       name: runtime-agent
-      tag: 0.0.6
+      tag: 1.0.0
       pullPolicy: IfNotPresent
 
   env:
