From be0797e9a2bcd60b3f50a6b9130f1a04ec5fca3a Mon Sep 17 00:00:00 2001
From: Razz4780 <msmolarekg@gmail.com>
Date: Tue, 28 Jan 2025 09:47:47 +0100
Subject: [PATCH 1/5] Removed security context from targetless agents

---
 changelog.d/+targetless-privileged.fixed.md | 1 +
 mirrord/kube/src/api/container/pod.rs       | 4 ----
 2 files changed, 1 insertion(+), 4 deletions(-)
 create mode 100644 changelog.d/+targetless-privileged.fixed.md

diff --git a/changelog.d/+targetless-privileged.fixed.md b/changelog.d/+targetless-privileged.fixed.md
new file mode 100644
index 00000000000..0c8c9f8ad1e
--- /dev/null
+++ b/changelog.d/+targetless-privileged.fixed.md
@@ -0,0 +1 @@
+mirrord no longer requires targetless agents' pods to be privileged.
diff --git a/mirrord/kube/src/api/container/pod.rs b/mirrord/kube/src/api/container/pod.rs
index 984a3fd8afa..c627e3022bd 100644
--- a/mirrord/kube/src/api/container/pod.rs
+++ b/mirrord/kube/src/api/container/pod.rs
@@ -134,10 +134,6 @@ impl ContainerVariant for PodVariant<'_> {
                     env: Some(env),
                     // Add requests to avoid getting defaulted https://github.com/metalbear-co/mirrord/issues/579
                     resources: Some(resources),
-                    security_context: Some(SecurityContext {
-                        privileged: Some(agent.privileged),
-                        ..Default::default()
-                    }),
                     ..Default::default()
                 }],
                 ..Default::default()

From 693dc5b5acab4e422c5f7300508d8f8897514b27 Mon Sep 17 00:00:00 2001
From: Razz4780 <msmolarekg@gmail.com>
Date: Tue, 28 Jan 2025 09:53:55 +0100
Subject: [PATCH 2/5] Updated schema and configuration.md

---
 mirrord-schema.json             | 4 ++--
 mirrord/config/configuration.md | 6 ++++++
 mirrord/config/src/agent.rs     | 6 ++++++
 3 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/mirrord-schema.json b/mirrord-schema.json
index 0cebfb20ce9..1add0f98916 100644
--- a/mirrord-schema.json
+++ b/mirrord-schema.json
@@ -284,7 +284,7 @@
         },
         "disabled_capabilities": {
           "title": "agent.disabled_capabilities {#agent-disabled_capabilities}",
-          "description": "Disables specified Linux capabilities for the agent container. If nothing is disabled here, agent uses `NET_ADMIN`, `NET_RAW`, `SYS_PTRACE` and `SYS_ADMIN`.",
+          "description": "Disables specified Linux capabilities for the agent container. If nothing is disabled here, agent uses `NET_ADMIN`, `NET_RAW`, `SYS_PTRACE` and `SYS_ADMIN`.\n\nHas no effect when using the targetless mode, as targetless agent containers have no capabilities.",
           "type": [
             "array",
             "null"
@@ -423,7 +423,7 @@
         },
         "privileged": {
           "title": "agent.privileged {#agent-privileged}",
-          "description": "Run the mirror agent as privileged container. Defaults to `false`.\n\nMight be needed in strict environments such as Bottlerocket.",
+          "description": "Run the mirror agent as privileged container. Defaults to `false`.\n\nMight be needed in strict environments such as Bottlerocket.\n\nHas no effect when using the targetless mode, as targetless agent containers are never privileged.",
           "type": [
             "boolean",
             "null"
diff --git a/mirrord/config/configuration.md b/mirrord/config/configuration.md
index 20d3dbc0e0e..57b5cd32900 100644
--- a/mirrord/config/configuration.md
+++ b/mirrord/config/configuration.md
@@ -196,6 +196,9 @@ Disables specified Linux capabilities for the agent container.
 If nothing is disabled here, agent uses `NET_ADMIN`, `NET_RAW`, `SYS_PTRACE` and
 `SYS_ADMIN`.
 
+Has no effect when using the targetless mode,
+as targetless agent containers have no capabilities.
+
 ### agent.dns {#agent-dns}
 
 ### agent.ephemeral {#agent-ephemeral}
@@ -355,6 +358,9 @@ Defaults to `false`.
 
 Might be needed in strict environments such as Bottlerocket.
 
+Has no effect when using the targetless mode,
+as targetless agent containers are never privileged.
+
 ### agent.resources {#agent-resources}
 
 Set pod resource reqirements. (not with ephemeral agents)
diff --git a/mirrord/config/src/agent.rs b/mirrord/config/src/agent.rs
index caf1d131a25..06f8126aa0a 100644
--- a/mirrord/config/src/agent.rs
+++ b/mirrord/config/src/agent.rs
@@ -236,6 +236,9 @@ pub struct AgentConfig {
     /// Disables specified Linux capabilities for the agent container.
     /// If nothing is disabled here, agent uses `NET_ADMIN`, `NET_RAW`, `SYS_PTRACE` and
     /// `SYS_ADMIN`.
+    /// 
+    /// Has no effect when using the targetless mode,
+    /// as targetless agent containers have no capabilities.
     pub disabled_capabilities: Option<Vec<LinuxCapability>>,
 
     /// ### agent.tolerations {#agent-tolerations}
@@ -291,6 +294,9 @@ pub struct AgentConfig {
     /// Defaults to `false`.
     ///
     /// Might be needed in strict environments such as Bottlerocket.
+    /// 
+    /// Has no effect when using the targetless mode,
+    /// as targetless agent containers are never privileged.
     #[config(default = false)]
     pub privileged: bool,
 

From 96fbc3ae109bd90753eeea2b1e1002fb99dbb63c Mon Sep 17 00:00:00 2001
From: Razz4780 <msmolarekg@gmail.com>
Date: Tue, 28 Jan 2025 10:02:53 +0100
Subject: [PATCH 3/5] Changelog fixed

---
 changelog.d/+targetless-privileged.fixed.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/changelog.d/+targetless-privileged.fixed.md b/changelog.d/+targetless-privileged.fixed.md
index 0c8c9f8ad1e..e0208ff39e2 100644
--- a/changelog.d/+targetless-privileged.fixed.md
+++ b/changelog.d/+targetless-privileged.fixed.md
@@ -1 +1 @@
-mirrord no longer requires targetless agents' pods to be privileged.
+`agent.privileged` no longer affects targetless agent's pods.

From 8f1647ee63753438a2a2c614e969e46aa1d5d2b8 Mon Sep 17 00:00:00 2001
From: Razz4780 <msmolarekg@gmail.com>
Date: Tue, 28 Jan 2025 10:03:04 +0100
Subject: [PATCH 4/5] fmt

---
 mirrord/config/src/agent.rs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/mirrord/config/src/agent.rs b/mirrord/config/src/agent.rs
index 06f8126aa0a..7f8cbfa0967 100644
--- a/mirrord/config/src/agent.rs
+++ b/mirrord/config/src/agent.rs
@@ -236,7 +236,7 @@ pub struct AgentConfig {
     /// Disables specified Linux capabilities for the agent container.
     /// If nothing is disabled here, agent uses `NET_ADMIN`, `NET_RAW`, `SYS_PTRACE` and
     /// `SYS_ADMIN`.
-    /// 
+    ///
     /// Has no effect when using the targetless mode,
     /// as targetless agent containers have no capabilities.
     pub disabled_capabilities: Option<Vec<LinuxCapability>>,
@@ -294,7 +294,7 @@ pub struct AgentConfig {
     /// Defaults to `false`.
     ///
     /// Might be needed in strict environments such as Bottlerocket.
-    /// 
+    ///
     /// Has no effect when using the targetless mode,
     /// as targetless agent containers are never privileged.
     #[config(default = false)]

From 4dbdcfdf2716fb7364f741a9a2105a73e49778df Mon Sep 17 00:00:00 2001
From: Razz4780 <msmolarekg@gmail.com>
Date: Tue, 28 Jan 2025 10:44:55 +0100
Subject: [PATCH 5/5] Fix UT

---
 mirrord/kube/src/api/container/job.rs | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/mirrord/kube/src/api/container/job.rs b/mirrord/kube/src/api/container/job.rs
index 7c3247a091f..190e1ebc518 100644
--- a/mirrord/kube/src/api/container/job.rs
+++ b/mirrord/kube/src/api/container/job.rs
@@ -291,9 +291,6 @@ mod test {
                                 "name": "mirrord-agent",
                                 "image": agent.image(),
                                 "imagePullPolicy": agent.image_pull_policy,
-                                "securityContext": {
-                                    "privileged": agent.privileged
-                                },
                                 "command": ["./mirrord-agent", "-l", "3000", "targetless"],
                                 "env": [
                                     { "name": "RUST_LOG", "value": agent.log_level },