chore(module): add more exceptions for privileged containers

.helmignore

@@ -6,6 +6,7 @@ images
 lib
 Makefile
 openapi
+tools
 *.md
 release.yaml
 werf*.yaml

Chart.yaml

@@ -2,5 +2,5 @@ name: virtualization
 version: 0.0.1
 dependencies:
   - name: deckhouse_lib_helm
-    version: 1.55.1
+    version: 1.71.1
     repository: https://deckhouse.github.io/lib-helm

Taskfile.yaml

@@ -26,7 +26,7 @@ includes:
     dir: ./src/cli
 
 vars:
-  deckhouse_lib_helm_ver: 1.55.1
+  deckhouse_lib_helm_ver: 1.71.1
   TRIVY_VERSION: 0.55.0
   target: ""
   VALIDATION_FILES: "tools/validation/{main,messages,diff,no_cyrillic,doc_changes}.go"
@@ -59,9 +59,13 @@ tasks:
     deps:
       - check-helm
     cmds:
-      - helm repo add deckhouse https://deckhouse.github.io/lib-helm
-      - helm repo update deckhouse
-      - helm dep update
+      - |
+        echo "Add deckhouse Helm repo"
+        helm repo add deckhouse https://deckhouse.github.io/lib-helm
+        echo "Update deckhouse Helm repo"
+        helm repo update deckhouse
+        echo "Update dependencies"
+        helm dep update
 
   helm-bump-helm-lib:
     deps:

requirements.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: deckhouse_lib_helm
   repository: https://deckhouse.github.io/lib-helm
-  version: 1.55.1
-digest: sha256:5bdef3964d2672b8ff290f32e22569bc502e040e4e70274cab1762f27d9982e0
-generated: "2025-05-30T11:27:37.094721+03:00"
+  version: 1.71.1
+digest: sha256:5682a96d4c6f23060ebdd8365e201daf4f1c41f0d25a5de4aae1f7a3f12045ae
+generated: "2026-03-04T17:35:02.982461+03:00"

templates/virtualization-dra/daemonset.yaml

@@ -11,7 +11,7 @@ memory: 25Mi
 {{- end }}
 
 
-{{- if eq (include "virtualization-dra.isEnabled" .) "true" }}
+{{/* - if eq (include "virtualization-dra.isEnabled" .) "true" */}}
 
 {{- if (.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }}
 ---
@@ -63,13 +63,38 @@ spec:
           Allow containers to run as root user (non-root disabled).
           Virtualization DRA component requires root privileges to access kernel-level resources and interact with system calls.
 
+    allowPrivilegeEscalation:
+      allowedValue: true
+      metadata:
+        description: |
+          Allow privilege escalation for the virt-handler container.
+          Virt-handler component requires privilege escalation to access kernel-level system calls.
+
     privileged:
       allowedValue: true
       metadata:
         description: |
           Allow privileged mode for the virtualization-dra DaemonSet.
           Virtualization DRA component requires privileged access to interact with the KVM subsystem and Linux kernel.
 
+    capabilities:
+      allowedValues:
+        add:
+          - SYS_MODULE
+        # TODO: a simple workaround before specifying proper drop values for all containers.
+        drop: []
+      metadata:
+        description: |
+          Allow Virtualization DRA component to have access to load eBPF and manage host route.
+
+    seccompProfile:
+      # TODO: a simple workaround before specifying proper seccompProfiles for all containers.
+      allowedValues:
+        - undefined
+      metadata:
+        description: |
+          Allow empty seccompProfile until specified.
+
   network:
     hostNetwork:
       allowedValue: true
@@ -236,4 +261,4 @@ spec:
         - name: var-run
           hostPath:
             path: /var/run
-{{- end }}
+{{/*- end */}}

templates/vm-route-forge/daemonset.yaml

@@ -53,12 +53,21 @@ spec:
           VM route forge component requires root privileges to interact with the host network layer.
 
     runAsNonRoot:
-      allowedValue: false
+      allowedValues:
+      - false
+      - true
       metadata:
         description: |
           Allow containers to run as root user (non-root disabled).
           VM route forge component requires root privileges to interact with the host network layer.
 
+    allowPrivilegeEscalation:
+      allowedValue: true
+      metadata:
+        description: |
+          Allow privilege escalation for the virt-handler container.
+          Virt-handler component requires privilege escalation to access kernel-level system calls.
+
     privileged:
       allowedValue: true
       metadata:
@@ -108,7 +117,7 @@ spec:
           {{- range .Values.virtualization.internal.moduleConfig.virtualMachineCIDRs }}
           - --cidr={{ . }}
           {{- end }}
-          {{- include "helm_lib_module_container_security_context_privileged_read_only_root_filesystem" . | nindent 10 }}
+          {{- include "helm_lib_module_container_security_context_pss_restricted_flexible" (dict "ro" true "caps" (list "NET_ADMIN") "uid" 0 "runAsNonRoot" false) | nindent 10 }}
           image: {{ include "helm_lib_module_image" (list . "vmRouteForge") }}
           imagePullPolicy: "IfNotPresent"
           env: