Skip to content

fix: don't set Privileged when AllowPrivilegeEscalation is false for skills#1551

Open
skhedim wants to merge 2 commits intokagent-dev:mainfrom
skhedim:fix/skills-privileged-pss-conflict
Open

fix: don't set Privileged when AllowPrivilegeEscalation is false for skills#1551
skhedim wants to merge 2 commits intokagent-dev:mainfrom
skhedim:fix/skills-privileged-pss-conflict

Conversation

@skhedim
Copy link
Contributor

@skhedim skhedim commented Mar 26, 2026

Problem

When an Agent spec includes a container securityContext with
allowPrivilegeEscalation: false (PSS Restricted profile) and the agent
has spec.skills.refs configured, the controller generates an invalid pod spec:

cannot set allowPrivilegeEscalation to false and privileged to true

Kubernetes rejects this combination at admission time, leaving the agent stuck
in a reconciliation loop with all pods failing to start.

Root cause

buildManifest() sets needSandbox = true when skills are present (because
skills use BashTool which calls srt → bubblewrap for sandboxing), then
blindly sets Privileged: true on whatever securityContext is provided —
including one that already has AllowPrivilegeEscalation: false.

The securityContext merge did not check for this conflict before setting
Privileged: true.

Fix

Add a helper allowPrivilegeEscalationExplicitlyFalse() that detects when the
user has opted out of privilege escalation, and skip Privileged: true in
that case.

When Privileged is withheld, srt degrades gracefully: on modern kernels
(EKS, GKE, AL2023 ≥ 5.10) that have unprivileged user namespaces enabled
(user.max_user_namespaces > 0), bubblewrap can still create sandboxes using
clone(CLONE_NEWUSER) without requiring a privileged seccomp profile.

Note on seccomp: The containerd RuntimeDefault seccomp profile blocks
clone(CLONE_NEWUSER) without CAP_SYS_ADMIN. Users who need full bwrap
sandbox execution (running bash scripts inside skills) must additionally
provide a custom seccompProfile: Localhost with a profile that allows
user namespace syscalls. This PR makes agent deployment possible for
PSS-Restricted namespaces; the seccomp tuning is an operational concern
separate from this bug.

Behaviour matrix

Agent spec needSandbox Result
skills or executeCode, no custom securityContext true Privileged: true — full bwrap sandbox (unchanged)
skills + allowPrivilegeEscalation: false true No Privileged — srt uses user-namespace mode
executeCode + allowPrivilegeEscalation: false true No Privileged — srt uses user-namespace mode
No skills, no executeCode false No securityContext created (unchanged)

Changes

go/core/internal/controller/translator/agent/adk_api_translator.go

  • Add comment explaining why needSandbox = true for skills (BashTool → srt → bwrap)
  • Fix securityContext merge: guard Privileged: true with allowPrivilegeEscalationExplicitlyFalse()
  • Add allowPrivilegeEscalationExplicitlyFalse() helper

go/core/internal/controller/translator/agent/security_context_test.go

  • Replace TestSecurityContext_WithSandbox (which tested an internally
    contradictory state) with two focused tests:
    • TestSecurityContext_SkillsDefaultPrivilegedSandbox: no custom
      securityContext → Privileged: true (default sandbox path)
    • TestSecurityContext_SkillsPSSRestricted: allowPrivilegeEscalation: false
      → no Privileged, original securityContext fields preserved intact

Testing

cd go
go test -race -skip 'TestE2E.*' -v ./core/internal/controller/translator/agent/...

All existing tests pass. Two new tests cover both code paths.

Related

@skhedim
fix: don't set Privileged when AllowPrivilegeEscalation is false for …
154e1f9 
…skills.

Signed-off-by: skhedim <sebastien.khedim@gmail.com>
Copilot AI review requested due to automatic review settings March 26, 2026 14:04
Copilot AI reviewed Mar 26, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes a controller bug where sandboxing logic for skills/executeCode could force SecurityContext.Privileged=true even when the user explicitly set allowPrivilegeEscalation: false, producing an invalid PodSpec rejected by Kubernetes admission.

Changes:

  • Document why skills require sandboxing (BashTool → srt → bubblewrap) and set needSandbox=true when skills are present.
  • Update container securityContext merging to avoid setting Privileged=true when AllowPrivilegeEscalation is explicitly false.
  • Replace the prior sandbox securityContext test with two focused tests covering default skills behavior and PSS-restricted behavior.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
go/core/internal/controller/translator/agent/adk_api_translator.go Adds an AllowPrivilegeEscalation=false guard to prevent generating an invalid {privileged: true, allowPrivilegeEscalation: false} security context.
go/core/internal/controller/translator/agent/security_context_test.go Updates tests to validate privileged defaulting for skills and to verify privileged is not forced under PSS-restricted security contexts.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@EItanya EItanya Awaiting requested review from EItanya EItanya is a code owner

@ilackarms ilackarms Awaiting requested review from ilackarms ilackarms is a code owner

@yuval-k yuval-k Awaiting requested review from yuval-k yuval-k is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@skhedim