Don't use privileged for targetless agent containers

changelog.d/+targetless-privileged.fixed.md

@@ -0,0 +1 @@
+mirrord no longer requires targetless agents' pods to be privileged.

mirrord-schema.json

@@ -284,7 +284,7 @@
         },
         "disabled_capabilities": {
           "title": "agent.disabled_capabilities {#agent-disabled_capabilities}",
-          "description": "Disables specified Linux capabilities for the agent container. If nothing is disabled here, agent uses `NET_ADMIN`, `NET_RAW`, `SYS_PTRACE` and `SYS_ADMIN`.",
+          "description": "Disables specified Linux capabilities for the agent container. If nothing is disabled here, agent uses `NET_ADMIN`, `NET_RAW`, `SYS_PTRACE` and `SYS_ADMIN`.\n\nHas no effect when using the targetless mode, as targetless agent containers have no capabilities.",
           "type": [
             "array",
             "null"
@@ -423,7 +423,7 @@
         },
         "privileged": {
           "title": "agent.privileged {#agent-privileged}",
-          "description": "Run the mirror agent as privileged container. Defaults to `false`.\n\nMight be needed in strict environments such as Bottlerocket.",
+          "description": "Run the mirror agent as privileged container. Defaults to `false`.\n\nMight be needed in strict environments such as Bottlerocket.\n\nHas no effect when using the targetless mode, as targetless agent containers are never privileged.",
           "type": [
             "boolean",
             "null"

mirrord/config/configuration.md

@@ -196,6 +196,9 @@ Disables specified Linux capabilities for the agent container.
 If nothing is disabled here, agent uses `NET_ADMIN`, `NET_RAW`, `SYS_PTRACE` and
 `SYS_ADMIN`.
 
+Has no effect when using the targetless mode,
+as targetless agent containers have no capabilities.
+
 ### agent.dns {#agent-dns}
 
 ### agent.ephemeral {#agent-ephemeral}
@@ -355,6 +358,9 @@ Defaults to `false`.
 
 Might be needed in strict environments such as Bottlerocket.
 
+Has no effect when using the targetless mode,
+as targetless agent containers are never privileged.
+
 ### agent.resources {#agent-resources}
 
 Set pod resource reqirements. (not with ephemeral agents)

mirrord/config/src/agent.rs

@@ -233,9 +233,12 @@
 
     /// ### agent.disabled_capabilities {#agent-disabled_capabilities}
     ///
     /// Disables specified Linux capabilities for the agent container.
     /// If nothing is disabled here, agent uses `NET_ADMIN`, `NET_RAW`, `SYS_PTRACE` and
     /// `SYS_ADMIN`.
+    /// 
+    /// Has no effect when using the targetless mode,
+    /// as targetless agent containers have no capabilities.
     pub disabled_capabilities: Option<Vec<LinuxCapability>>,
 
     /// ### agent.tolerations {#agent-tolerations}
@@ -288,9 +291,12 @@
     /// ### agent.privileged {#agent-privileged}
     ///
     /// Run the mirror agent as privileged container.
     /// Defaults to `false`.
     ///
     /// Might be needed in strict environments such as Bottlerocket.
+    /// 
+    /// Has no effect when using the targetless mode,
+    /// as targetless agent containers are never privileged.
     #[config(default = false)]
     pub privileged: bool,
 

mirrord/kube/src/api/container/pod.rs

@@ -134,10 +134,6 @@ impl ContainerVariant for PodVariant<'_> {
                     env: Some(env),
                     // Add requests to avoid getting defaulted https://github.com/metalbear-co/mirrord/issues/579
                     resources: Some(resources),
-                    security_context: Some(SecurityContext {
-                        privileged: Some(agent.privileged),
-                        ..Default::default()
-                    }),
                     ..Default::default()
                 }],
                 ..Default::default()