Skip to content

Replace privileged:true with minimal capabilities in integration tests #3447

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
robbycochran wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Replace privileged:true with minimal capabilities in integration tests #3447

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
91a42cf
X-Smart-Branch-Parent: master
robbycochran Jun 10, 2026
f59733d
Replace privileged:true with minimal capabilities in integration tests
robbycochran Jun 10, 2026
2b561c8
Fall back to privileged mode on RHEL 8-era kernels
robbycochran Jun 11, 2026
ab4f6f9
Add RHEL-SAP and s390x to privileged fallback list
robbycochran Jun 11, 2026
23f1203
Remove SPEC.md from tracked files
robbycochran Jun 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 8 additions & 1 deletion integration-tests/pkg/collector/collector_docker.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -120,10 +120,17 @@ func (c *DockerCollectorManager) IsRunning() (bool, error) {
}

func (c *DockerCollectorManager) createCollectorStartConfig() (config.ContainerStartConfig, error) {
privileged := config.NeedsPrivileged()
var capAdd []string
if !privileged {
capAdd = []string{"BPF", "PERFMON", "SYS_PTRACE", "SYS_RESOURCE"}
}

startConfig := config.ContainerStartConfig{
Name: "collector",
Image: config.Images().CollectorImage(),
Privileged: true,
Privileged: privileged,
CapAdd: capAdd,
NetworkMode: "host",
Mounts: c.mounts,
Env: c.env,
Expand Down
17 changes: 15 additions & 2 deletions integration-tests/pkg/collector/collector_k8s.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -129,14 +129,27 @@ func (k *K8sCollectorManager) Launch() error {
Labels: map[string]string{"app": "collector"},
}

privileged := true
needsPrivileged := config.NeedsPrivileged()
secCtx := &coreV1.SecurityContext{}
if needsPrivileged {
secCtx.Privileged = &needsPrivileged
} else {
noPrivEsc := false
notPrivileged := false
secCtx.Privileged = &notPrivileged
secCtx.AllowPrivilegeEscalation = &noPrivEsc
secCtx.Capabilities = &coreV1.Capabilities{
Drop: []coreV1.Capability{"ALL"},
Add: []coreV1.Capability{"BPF", "PERFMON", "SYS_PTRACE", "SYS_RESOURCE"},
}
}
container := coreV1.Container{
Name: "collector",
Image: config.Images().CollectorImage(),
Ports: []coreV1.ContainerPort{{ContainerPort: 8080}},
Env: k.env,
VolumeMounts: k.volumeMounts,
SecurityContext: &coreV1.SecurityContext{Privileged: &privileged},
SecurityContext: secCtx,
}

pod := &coreV1.Pod{
Expand Down
23 changes: 23 additions & 0 deletions integration-tests/pkg/config/config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -170,3 +170,26 @@ func BenchmarksInfo() *Benchmarks {
func LogPath() string {
return filepath.Join(".", "container-logs", VMInfo().Config, CollectionMethod())
}

// NeedsPrivileged returns true for VMs where CAP_BPF and CAP_PERFMON are
// not functional as discrete capabilities:
// - RHCOS 4.12-4.19: RHEL 8 kernel (4.18.0) lacks discrete CAP_BPF
// - RHEL 8: same kernel limitation
// - RHEL-SAP: SAP kernel builds restrict BPF capability probing even on 5.14+
// - s390x: RHEL 8 kernel
func NeedsPrivileged() bool {
vmConfig := VMInfo().Config
privilegedPlatforms := []string{
"rhcos-412", "rhcos-413", "rhcos-414", "rhcos-415",
"rhcos-416", "rhcos-417", "rhcos-418", "rhcos-419",
"rhel_rhel-8", "rhel-8",
"rhel-sap",
"rhel-s390x",
}
for _, pattern := range privilegedPlatforms {
if strings.Contains(vmConfig, pattern) {
return true
}
}
return false
}
1 change: 1 addition & 0 deletions integration-tests/pkg/config/container_config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ type ContainerStartConfig struct {
Name string
Image string
Privileged bool
CapAdd []string
NetworkMode string
Mounts map[string]string
Env map[string]string
Expand Down
20 changes: 14 additions & 6 deletions integration-tests/pkg/executor/executor_cri.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -226,18 +226,26 @@ func (c *criExecutor) StartContainer(config config.ContainerStartConfig) (string
})
}

secCtx := &pb.LinuxContainerSecurityContext{
Privileged: config.Privileged,
NamespaceOptions: &pb.NamespaceOption{
Network: network,
},
}
if len(config.CapAdd) > 0 {
secCtx.Capabilities = &pb.Capability{
AddCapabilities: config.CapAdd,
DropCapabilities: []string{"ALL"},
}
}

containerConfig := pb.ContainerConfig{
Metadata: &pb.ContainerMetadata{Name: config.Name},
Image: &pb.ImageSpec{Image: config.Image},
Envs: envs,
Mounts: mounts,
Linux: &pb.LinuxContainerConfig{
SecurityContext: &pb.LinuxContainerSecurityContext{
Privileged: config.Privileged,
NamespaceOptions: &pb.NamespaceOption{
Network: network,
},
},
SecurityContext: secCtx,
},
LogPath: config.Name,
Labels: labels,
Expand Down
1 change: 1 addition & 0 deletions integration-tests/pkg/executor/executor_docker_api.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -150,6 +150,7 @@ func (d *dockerAPIExecutor) StartContainer(startConfig config.ContainerStartConf
NetworkMode: container.NetworkMode(startConfig.NetworkMode),
Privileged: startConfig.Privileged,
Binds: binds,
CapAdd: startConfig.CapAdd,
}
resp, err := d.client.ContainerCreate(ctx, containerConfig, hostConfig, nil, nil, startConfig.Name)
if err != nil {
Expand Down
Loading