remove unnecessary capabilities to adhere to PoLP

[philgebhardt]

Background

The Gremlin Agent Daemonset exposes various capabilities needed to:

1. carry out attacks within the Daemonset pods
2. carry out container initialization operations like entering the net/pid namespaces of other containers
3. appease the default container spec provided by our 3rd party libraries (even when it contains capabilities we do not need)

Gremlin should try to always adhere to the principle of least privilege (PoLP), and so the capabilities that fall under #3 should be removed. This will require a new agent release.

Change

• Remove capabilities Gremlin does not need when it no longer leverages the capabilities provided by oci-runtime-tool's default capabilities set.

Testing

• [ ] test on openshift 3.x
• [x] test on openshift 4.x
• [ ] test on plain crio-based cluster
• [ ] test on plain containerd-based cluster

[philgebhardt]

This change is awaiting testing on OpenShift. The Gremlin agent has already been updated to no longer need these capabilities. Anyone that wishes to launch Gremlin without the required caps can do so by supplying these args explicitly:

--set gremlin.podSecurity.capabilities[0]=KILL \
--set gremlin.podSecurity.capabilities[1]=NET_ADMIN \
--set gremlin.podSecurity.capabilities[2]=SYS_BOOT \
--set gremlin.podSecurity.capabilities[3]=SYS_TIME \
--set gremlin.podSecurity.capabilities[4]=SYS_ADMIN \
--set gremlin.podSecurity.capabilities[5]=SYS_PTRACE \
--set gremlin.podSecurity.capabilities[6]=SYS_CHROOT