Replace privileged:true with minimal capabilities in integration tests

[robbycochran]

Summary

• Deploy collector with CAP_BPF, CAP_PERFMON, CAP_SYS_PTRACE, and CAP_SYS_RESOURCE instead of privileged: true across all three container runtime paths (Docker/Podman, CRI, K8s)
• Add CapAdd field to ContainerStartConfig and wire it through Docker and CRI executors
• K8s path sets explicit SecurityContext with allowPrivilegeEscalation: false, drop: ALL, and the four capabilities

This is Phase 2 of the collector privilege reduction effort. Phase 1 (stackrox/stackrox#21065) updated the production Helm templates. This PR validates that BPF collection works correctly under the reduced privilege model by running the existing integration test suite without privileged: true.

Files changed

File	Change
pkg/config/container_config.go	Add CapAdd []string field to ContainerStartConfig
pkg/executor/executor_docker_api.go	Wire CapAdd to Docker HostConfig.CapAdd
pkg/executor/executor_cri.go	Wire CapAdd to CRI LinuxContainerSecurityContext.Capabilities with drop: ALL
pkg/collector/collector_k8s.go	Replace privileged: true with capability-based SecurityContext
pkg/collector/collector_docker.go	Set Privileged: false with CapAdd for the four capabilities

Capabilities justification

Capability	Why
CAP_BPF	Load BPF programs and create BPF maps via bpf() syscall
CAP_PERFMON	Attach BPF programs to kernel tracing infrastructure (tp_btf/)
CAP_SYS_PTRACE	Read restricted /proc/pid/ entries across namespaces via hostPath mount
CAP_SYS_RESOURCE	Raise RLIMIT_MEMLOCK to RLIM_INFINITY for BPF map allocation

Known considerations

• Docker seccomp: Dockers default seccomp profile allows bpf() since 20.10 but may filter perf_event_open(). If Docker-path tests fail, we may need seccomp=unconfined on the Docker executor. Podman/CRI are unaffected.
• SELinux: All test VMs use setenforce 0 (permissive). SELinux enforcing validation is deferred to Phase 3 (custom SCC).
• node-inventory: Remains privileged: true (separate workstream).

Test plan

• All existing integration tests pass on RHEL/RHCOS VMs (podman/CRI path)
• All existing integration tests pass on Ubuntu/COS VMs (Docker path)
• K8s integration tests pass on KinD
• No regression in benchmark tests
• If Docker-path tests fail due to seccomp, add seccomp=unconfined follow-up

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: a4d65f2e-9d05-4ab7-bb1b-cdf95b6b0290

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch rc-remove-privileged

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 27.34%. Comparing base (339edbf) to head (ab4f6f9).
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #3447   +/-   ##
=======================================
  Coverage   27.34%   27.34%           
=======================================
  Files          95       95           
  Lines        5420     5420           
  Branches     2545     2545           
=======================================
  Hits         1482     1482           
  Misses       3211     3211           
  Partials      727      727           

Flag	Coverage Δ
collector-unit-tests	27.34% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.