add shieldGuard changes (#1287)

* add shieldGuard changes * update trivyignore --------- Co-authored-by: Amol Agrawal <amagraw@microsoft.com>
microsoft · Jul 10, 2024 · bb8cb3c · bb8cb3c
1 parent 3982365
commit bb8cb3c
Show file tree

Hide file tree

Showing 5 changed files with 43 additions and 0 deletions.
diff --git a/.trivyignore b/.trivyignore
@@ -21,6 +21,7 @@ CVE-2024-24783
 CVE-2024-24784
 CVE-2024-24785
 CVE-2024-24790
+CVE-2024-24791
 
 # go high
 CVE-2024-24789
diff --git a/charts/azuremonitor-containers/templates/ama-logs-daemonset-windows.yaml b/charts/azuremonitor-containers/templates/ama-logs-daemonset-windows.yaml
@@ -49,6 +49,12 @@ spec:
        imagePullPolicy: IfNotPresent
        resources:
 {{ toYaml .Values.amalogs.resources.daemonsetwindows | indent 9 }}
+       securityContext:
+        capabilities:
+          drop:
+            - ALL
+          add:
+            - DAC_OVERRIDE
        env:
        - name: FBIT_SERVICE_FLUSH_INTERVAL
          value: "15"

diff --git a/charts/azuremonitor-containers/templates/ama-logs-daemonset.yaml b/charts/azuremonitor-containers/templates/ama-logs-daemonset.yaml
@@ -141,6 +141,11 @@ spec:
               fieldPath: spec.nodeName
        securityContext:
          privileged: true
+         capabilities:
+          drop:
+            - ALL
+          add:
+            - DAC_OVERRIDE
        ports:
        - containerPort: 25225
          protocol: TCP
@@ -244,6 +249,11 @@ spec:
               fieldPath: spec.nodeName
        securityContext:
          privileged: true
+         capabilities:
+          drop:
+            - ALL
+          add:
+            - DAC_OVERRIDE
        volumeMounts:
          {{- if .Values.amalogs.enableServiceAccountTimeBoundToken }}
          - name: kube-api-access

diff --git a/charts/azuremonitor-containers/templates/ama-logs-deployment.yaml b/charts/azuremonitor-containers/templates/ama-logs-deployment.yaml
@@ -124,6 +124,11 @@ spec:
               fieldPath: spec.nodeName
        securityContext:
          privileged: true
+         capabilities:
+          drop:
+            - ALL
+          add:
+            - DAC_OVERRIDE
        ports:
        - containerPort: 25225
          protocol: TCP

diff --git a/kubernetes/ama-logs.yaml b/kubernetes/ama-logs.yaml
@@ -457,6 +457,11 @@ spec:
               value: "28331"
           securityContext:
             privileged: true
+            capabilities:
+              drop:
+                - ALL
+              add:
+                - DAC_OVERRIDE
           ports:
             - containerPort: 25225
               protocol: TCP
@@ -565,6 +570,11 @@ spec:
             #   value: "true"
           securityContext:
             privileged: true
+            capabilities:
+              drop:
+                - ALL
+              add:
+                - DAC_OVERRIDE
           volumeMounts:
             - name: kube-api-access
               mountPath: /var/run/secrets/kubernetes.io/serviceaccount
@@ -843,6 +853,11 @@ spec:
               value: "28331"
           securityContext:
             privileged: true
+            capabilities:
+              drop:
+                - ALL
+              add:
+                - DAC_OVERRIDE
           ports:
             - containerPort: 25225
               protocol: TCP
@@ -1038,6 +1053,12 @@ spec:
           limits:
            cpu: 2
            memory: 2Gi
+         securityContext:
+          capabilities:
+           drop:
+            - ALL
+           add:
+            - DAC_OVERRIDE
          env:
           - name: CONTAINER_MEMORY_LIMIT_IN_BYTES
             valueFrom: