Merge remote-tracking branch 'metalbear-co/main' into dimad/mbe-510-p…

…roxy-randomly-closes-during-connection
metalbear-co · Jan 28, 2025 · 4fe4849 · 4fe4849
2 parents ff822ee + 05a6484
commit 4fe4849
Show file tree

Hide file tree

Showing 6 changed files with 15 additions and 9 deletions.
diff --git a/changelog.d/+targetless-privileged.fixed.md b/changelog.d/+targetless-privileged.fixed.md
@@ -0,0 +1 @@
+`agent.privileged` no longer affects targetless agent's pods.
diff --git a/mirrord-schema.json b/mirrord-schema.json
@@ -284,7 +284,7 @@
         },
         "disabled_capabilities": {
           "title": "agent.disabled_capabilities {#agent-disabled_capabilities}",
-          "description": "Disables specified Linux capabilities for the agent container. If nothing is disabled here, agent uses `NET_ADMIN`, `NET_RAW`, `SYS_PTRACE` and `SYS_ADMIN`.",
+          "description": "Disables specified Linux capabilities for the agent container. If nothing is disabled here, agent uses `NET_ADMIN`, `NET_RAW`, `SYS_PTRACE` and `SYS_ADMIN`.\n\nHas no effect when using the targetless mode, as targetless agent containers have no capabilities.",
           "type": [
             "array",
             "null"
@@ -423,7 +423,7 @@
         },
         "privileged": {
           "title": "agent.privileged {#agent-privileged}",
-          "description": "Run the mirror agent as privileged container. Defaults to `false`.\n\nMight be needed in strict environments such as Bottlerocket.",
+          "description": "Run the mirror agent as privileged container. Defaults to `false`.\n\nMight be needed in strict environments such as Bottlerocket.\n\nHas no effect when using the targetless mode, as targetless agent containers are never privileged.",
           "type": [
             "boolean",
             "null"

diff --git a/mirrord/config/configuration.md b/mirrord/config/configuration.md
@@ -196,6 +196,9 @@ Disables specified Linux capabilities for the agent container.
 If nothing is disabled here, agent uses `NET_ADMIN`, `NET_RAW`, `SYS_PTRACE` and
 `SYS_ADMIN`.
 
+Has no effect when using the targetless mode,
+as targetless agent containers have no capabilities.
+
 ### agent.dns {#agent-dns}
 
 ### agent.ephemeral {#agent-ephemeral}
@@ -355,6 +358,9 @@ Defaults to `false`.
 
 Might be needed in strict environments such as Bottlerocket.
 
+Has no effect when using the targetless mode,
+as targetless agent containers are never privileged.
+
 ### agent.resources {#agent-resources}
 
 Set pod resource reqirements. (not with ephemeral agents)

diff --git a/mirrord/config/src/agent.rs b/mirrord/config/src/agent.rs
@@ -236,6 +236,9 @@ pub struct AgentConfig {
     /// Disables specified Linux capabilities for the agent container.
     /// If nothing is disabled here, agent uses `NET_ADMIN`, `NET_RAW`, `SYS_PTRACE` and
     /// `SYS_ADMIN`.
+    ///
+    /// Has no effect when using the targetless mode,
+    /// as targetless agent containers have no capabilities.
     pub disabled_capabilities: Option<Vec<LinuxCapability>>,
 
     /// ### agent.tolerations {#agent-tolerations}
@@ -291,6 +294,9 @@ pub struct AgentConfig {
     /// Defaults to `false`.
     ///
     /// Might be needed in strict environments such as Bottlerocket.
+    ///
+    /// Has no effect when using the targetless mode,
+    /// as targetless agent containers are never privileged.
     #[config(default = false)]
     pub privileged: bool,
 

diff --git a/mirrord/kube/src/api/container/job.rs b/mirrord/kube/src/api/container/job.rs
@@ -291,9 +291,6 @@ mod test {
                                 "name": "mirrord-agent",
                                 "image": agent.image(),
                                 "imagePullPolicy": agent.image_pull_policy,
-                                "securityContext": {
-                                    "privileged": agent.privileged
-                                },
                                 "command": ["./mirrord-agent", "-l", "3000", "targetless"],
                                 "env": [
                                     { "name": "RUST_LOG", "value": agent.log_level },

diff --git a/mirrord/kube/src/api/container/pod.rs b/mirrord/kube/src/api/container/pod.rs
@@ -134,10 +134,6 @@ impl ContainerVariant for PodVariant<'_> {
                     env: Some(env),
                     // Add requests to avoid getting defaulted https://github.com/metalbear-co/mirrord/issues/579
                     resources: Some(resources),
-                    security_context: Some(SecurityContext {
-                        privileged: Some(agent.privileged),
-                        ..Default::default()
-                    }),
                     ..Default::default()
                 }],
                 ..Default::default()
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		`agent.privileged` no longer affects targetless agent's pods.