sysdiglabs · EdwardArchive · May 13, 2026
@@ -13,5 +13,5 @@ maintainers:
   - name: mavimo
     email: marcovito.moscaritolo@sysdig.com
 type: application
-version: 1.37.1
+version: 1.37.2
 appVersion: "1.0.0"
@@ -13,8 +13,8 @@ allowHostIPC: false
 allowHostNetwork: true
 allowHostPID: true
 allowHostPorts: {{ or .Values.features.posture.host_posture.enabled (dig "prometheus_exporter" "enabled" false .Values.host.additional_settings) (dig "kspm_analyzer" "enabled" false .Values.host.additional_settings) }}
-allowPrivilegeEscalation: true
-allowPrivilegedContainer: true
+allowPrivilegeEscalation: {{ .Values.host.privileged }}
+allowPrivilegedContainer: {{ .Values.host.privileged }}
 {{- if .Values.host.privileged }}
 allowedCapabilities: []
 {{- else }}

@@ -54,6 +54,37 @@ tests:
           path: allowedCapabilities
           value: []
 
+  - it: SecurityContextConstraints allowPrivilegeEscalation/allowPrivilegedContainer are true when host.privileged is true
+    capabilities:
+      apiVersions:
+        - security.openshift.io/v1
+    set:
+      host:
+        privileged: true
+    asserts:
+      - equal:
+          path: allowPrivilegeEscalation
+          value: true
+      - equal:
+          path: allowPrivilegedContainer
+          value: true
+
+  - it: SecurityContextConstraints allowPrivilegeEscalation/allowPrivilegedContainer are false when host.privileged is false
+    capabilities:
+      apiVersions:
+        - security.openshift.io/v1
+    set:
+      host:
+        privileged: false
+        driver: universal_ebpf
+    asserts:
+      - equal:
+          path: allowPrivilegeEscalation
+          value: false
+      - equal:
+          path: allowPrivilegedContainer
+          value: false
+
   - it: SecurityContextConstraints allowedCapabilities is not empty when host.privileged is false
     capabilities:
       apiVersions: