chore(module): add more exceptions for privileged containers

.helmignore

@@ -6,8 +6,19 @@ images
 lib
 Makefile
 openapi
+src
+test
+tools
 *.md
 release.yaml
 werf*.yaml
 NOTES.txt
+.dmtlint.yaml
+.editorconfig
 .git
+.github
+.gocache
+.idea
+.mirrods
+.pi*
+.prettierignore

Chart.yaml

@@ -2,5 +2,5 @@ name: virtualization
 version: 0.0.1
 dependencies:
   - name: deckhouse_lib_helm
-    version: 1.55.1
+    version: 1.72.0
     repository: https://deckhouse.github.io/lib-helm

Taskfile.yaml

@@ -26,7 +26,7 @@ includes:
     dir: ./src/cli
 
 vars:
-  deckhouse_lib_helm_ver: 1.55.1
+  deckhouse_lib_helm_ver: 1.72.0
   TRIVY_VERSION: 0.55.0
   target: ""
   VALIDATION_FILES: "tools/validation/{main,messages,diff,no_cyrillic,doc_changes}.go"
@@ -102,16 +102,32 @@ tasks:
     deps:
       - check-helm
     cmds:
-      - helm repo add deckhouse https://deckhouse.github.io/lib-helm
-      - helm repo update deckhouse
-      - helm dep update
+      - |
+        echo -e "Step 1: Add deckhouse Helm repo\n"
+        helm repo add deckhouse https://deckhouse.github.io/lib-helm
+        echo -e "\nStep 2: Update deckhouse Helm repo\n"
+        helm repo update deckhouse
+        echo -e "\nStep 3: Update dependencies\n"
+        helm dep update
 
   helm-bump-helm-lib:
     deps:
       - check-yq
     cmds:
+      - |
+        lib_helm_ver=$(yq '.dependencies[] | select(.name == "deckhouse_lib_helm").version' Chart.yaml)
+        echo lib_helm version before update: $lib_helm_ver && echo
       - yq -i '.dependencies[] |= select(.name == "deckhouse_lib_helm").version = "{{ .deckhouse_lib_helm_ver }}"' Chart.yaml
       - task: helm-update-subcharts
+      - |
+        lib_helm_ver=$(yq '.dependencies[] | select(.name == "deckhouse_lib_helm").version' Chart.yaml)
+        echo && echo lib_helm version after update: $lib_helm_ver
+
+  helm-render:
+    deps:
+      - check-helm
+    cmds:
+      - helm template virtualization . -f tools/kubeconform/fixtures/module-values.yaml --debug --devel > helm-template-render.yaml
 
   build:
     deps:

requirements.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: deckhouse_lib_helm
   repository: https://deckhouse.github.io/lib-helm
-  version: 1.55.1
-digest: sha256:5bdef3964d2672b8ff290f32e22569bc502e040e4e70274cab1762f27d9982e0
-generated: "2025-05-30T11:27:37.094721+03:00"
+  version: 1.72.0
+digest: sha256:f726180e4e40570dbeb4ed1cf000fe1a971458e68272a246745ce8c00ccf2e36
+generated: "2026-06-03T23:47:51.611585+03:00"

templates/kubevirt/_kubevirt_helpers.tpl

@@ -169,6 +169,46 @@ spec:
 '{{ include "kubevirt.virt_handler_probes_strategic_patch" . | fromYaml | toJson }}'
 {{- end }}
 
+
+{{- define "kubevirt.virt_handler_security_contexts_strategic_patch" -}}
+spec:
+  template:
+    spec:
+      containers:
+      - name: virt-handler
+        securityContext:
+          privileged: true
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: true
+          runAsUser: 0
+          runAsGroup: 0
+          seLinuxOptions:
+            level: s0
+      - name: virt-launcher-image-holder
+        securityContext:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
+          seccompProfile:
+            type: RuntimeDefault
+      initContainers:
+      - name: virt-launcher
+        securityContext:
+          privileged: true
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: true
+          runAsUser: 0
+          runAsGroup: 0
+{{- end -}}
+
+
+{{- define "kubevirt.virt_handler_security_contexts_strategic_patch_json" -}}
+'{{ include "kubevirt.virt_handler_security_contexts_strategic_patch" . | fromYaml | toJson }}'
+{{- end }}
+
+
 {{/* Calculate parallel migrations per cluster.
  This template returns:
   - Count of nodes with virt-handler if kubevirt config is in 'Deployed' phase.

templates/kubevirt/kubevirt.yaml

@@ -290,10 +290,23 @@ env:
       type: strategic
       patch: '{"spec":{"template":{"spec":{"containers":[ {"name":"virt-controller","env":{{ include "virt-controller-additional-envs" . | fromYaml | pluck "env" | first | toJson }} } ]}}}}'
 
-    # Label for SecurityPolicyException
+# Labels to link with SecurityPolicyExceptions.
+{{ define "security-policy-exception-link-labels" }}
+labels:
+  # main container.
+  security.deckhouse.io/security-policy-exception/virt-handler: virt-handler-ds-virt-handler-container
+  # node-labeller container
+  security.deckhouse.io/security-policy-exception/virt-launcher: virt-handler-ds-virt-launcher-container
+{{ end }}
+    - resourceName: virt-handler
+      resourceType: DaemonSet
+      patch: '{"spec":{"template":{"metadata": {{ include "security-policy-exception-link-labels" . | fromYaml | toJson }} }}}'
+      type: strategic
+
+    # Explicit values in securityContext for containers to support SecurityPolicyException.
     - resourceName: virt-handler
       resourceType: DaemonSet
-      patch: '{"spec":{"template":{"metadata":{"labels":{"security.deckhouse.io/security-policy-exception": "virt-handler-ds"}}}}}'
+      patch: {{ include "kubevirt.virt_handler_security_contexts_strategic_patch_json" . }}
       type: strategic
 
     # Expose virt-handler ports: health API (--port) and console server (--console-server-port).

templates/kubevirt/virt-handler/security-policy-exception.yaml

@@ -3,7 +3,7 @@
 apiVersion: deckhouse.io/v1alpha1
 kind: SecurityPolicyException
 metadata:
-  name: virt-handler-ds
+  name: virt-handler-ds-virt-handler-container
   namespace: d8-{{ .Chart.Name }}
   {{- include "helm_lib_module_labels" (list . (dict "app" .Chart.Name)) | nindent 2 }}
 spec:
@@ -44,11 +44,26 @@ spec:
         description: |
           Virt-handler component needs hostNetwork to manipulate node route tables
           to allow traffic between virtual machines.
+    hostPorts:
+      - port: 4100
+        protocol: TCP
+        metadata:
+          description: |
+            Allow hostPort 4100 for metrics and health check service.
+            Virt-handler component requires hostNetwork and metrics and health check service should be accessible via hostPort.
+      - port: 4101
+        protocol: TCP
+        metadata:
+          description: |
+            Allow hostPort 4101 for console service.
+            Virt-handler component requires hostNetwork and console service should be accessible via hostPort.
+
     hostPID:
       allowedValue: true
       metadata:
         description:
           Virt-handler component needs access to host PID.
+
   # Allow mounting host directories.
   volumes:
     types:
@@ -71,11 +86,16 @@ spec:
           metadata:
             description: |
               Allow read-write access to /var/lib/kubelet/pods hostPath volume.
-        - path: /var/lib/kubevirt-node-labeller
+        - path: /var/run/cilium
+          readOnly: false
+          metadata:
+            description: |
+              Allow read-write access to /var/run/cilium hostPath volume.
+        - path: /var/run/d8-virtualization/node-labeller
           readOnly: false
           metadata:
             description: |
-              Allow read-write access to /var/lib/kubevirt-node-labeller hostPath volume.
+              Allow read-write access to /var/run/d8-virtualization/node-labeller hostPath volume.
         - path: /var/run/kubevirt
           readOnly: false
           metadata:
@@ -92,4 +112,62 @@ spec:
             description: |
               Allow read-write access to /var/run/kubevirt-private hostPath volume.
 
+---
+# SecurityPolicyException for node-labeller (it is named as virt-launcher container).
+apiVersion: deckhouse.io/v1alpha1
+kind: SecurityPolicyException
+metadata:
+  name: virt-handler-ds-virt-launcher-container
+  namespace: d8-{{ .Chart.Name }}
+  {{- include "helm_lib_module_labels" (list . (dict "app" .Chart.Name)) | nindent 2 }}
+spec:
+  securityContext:
+    runAsUser:
+      allowedValues:
+        - 0
+      metadata:
+        description: |
+          Allow virt-handler container to run as root user (UID 0).
+          Virt-handler component requires root privileges to properly communicate with the KVM subsystem.
+
+    runAsNonRoot:
+      allowedValue: false
+      metadata:
+        description: |
+          Allow containers to run as root user (non-root disabled).
+          Virt-handler component requires root privileges to access kernel-level resources and interact with system calls.
+
+    allowPrivilegeEscalation:
+      allowedValue: true
+      metadata:
+        description: |
+          Allow privilege escalation for the virt-handler container.
+          Virt-handler component requires privilege escalation to access kernel-level system calls.
+
+    privileged:
+      allowedValue: true
+      metadata:
+        description: |
+          Allow privileged mode for the virt-handler.
+          Virt-handler component requires privileged access to interact with the KVM subsystem and Linux kernel.
+
+
+  # Allow mounting host directories.
+  volumes:
+    types:
+      allowedValues:
+        - hostPath
+      metadata:
+        description: |
+          Allow hostPath volume type for node-labeller.
+          node-labeller container of the virt-handler DaemonSet requires access to host filesystem to share virsh capabilities with the main virt-handler container.
+
+    hostPath:
+      allowedValues:
+        - path: /var/lib/d8-virtualization/node-labeller
+          readOnly: false
+          metadata:
+            description: |
+              Allow read-write access to /var/run/d8-virtualization/node-labeller hostPath volume.
+
 {{- end }}

templates/namespace.yaml

@@ -4,6 +4,8 @@ d8-{{ .Chart.Name }}
 
 {{- define "namespace.labels" }}
 prometheus.deckhouse.io/rules-watcher-enabled: "true"
+security.deckhouse.io/pod-policy: "restricted"
+security.deckhouse.io/enable-security-policy-check: "true"
 {{- end }}
 
 {{/* add these labels back to namespace.labels when fix templates for privileged Pods */}}

templates/virtualization-dra/daemonset.yaml

@@ -11,7 +11,7 @@ memory: 25Mi
 {{- end }}
 
 
-{{- if eq (include "virtualization-dra.isEnabled" .) "true" }}
+{{/* - if eq (include "virtualization-dra.isEnabled" .) "true" */}}
 
 {{- if (.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }}
 ---
@@ -63,13 +63,38 @@ spec:
           Allow containers to run as root user (non-root disabled).
           Virtualization DRA component requires root privileges to access kernel-level resources and interact with system calls.
 
+    allowPrivilegeEscalation:
+      allowedValue: true
+      metadata:
+        description: |
+          Allow privilege escalation for the virt-handler container.
+          Virt-handler component requires privilege escalation to access kernel-level system calls.
+
     privileged:
       allowedValue: true
       metadata:
         description: |
           Allow privileged mode for the virtualization-dra DaemonSet.
           Virtualization DRA component requires privileged access to interact with the KVM subsystem and Linux kernel.
 
+    capabilities:
+      allowedValues:
+        add:
+          - SYS_MODULE
+        # TODO: a simple workaround before specifying proper drop values for all containers.
+        drop: []
+      metadata:
+        description: |
+          Allow Virtualization DRA component to have access to load eBPF and manage host route.
+
+    seccompProfile:
+      # TODO: a simple workaround before specifying proper seccompProfiles for all containers.
+      allowedValues:
+        - undefined
+      metadata:
+        description: |
+          Allow empty seccompProfile until specified.
+
   network:
     hostNetwork:
       allowedValue: true
@@ -238,4 +263,4 @@ spec:
         - name: var-run
           hostPath:
             path: /var/run
-{{- end }}
+{{/*- end */}}