github/kubeshark
1
0
Fork 0
mirror of https://github.com/kubeshark/kubeshark.git synced 2025-09-04 12:05:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

Replace privileged with specific CAPABILITIES requests (#514)

Browse Source
This commit is contained in:
David Levanon
2021-12-02 11:41:13 +02:00
committed by GitHub
parent 2910611111
commit 296e1bb667
1 changed files with 11 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
shared/kubernetes/provider.go
View File

@@ -651,7 +651,17 @@ func (provider *Provider) ApplyMizuTapperDaemonSet(ctx context.Context, namespac
agentContainer.WithName(tapperPodName) agentContainer.WithName(tapperPodName)
agentContainer.WithImage(podImage) agentContainer.WithImage(podImage)
agentContainer.WithImagePullPolicy(imagePullPolicy) agentContainer.WithImagePullPolicy(imagePullPolicy)
agentContainer.WithSecurityContext(applyconfcore.SecurityContext().WithPrivileged(true))
caps := applyconfcore.Capabilities().WithDrop("ALL").WithAdd("NET_RAW").WithAdd("NET_ADMIN")
if istio {
caps = caps.WithAdd("SYS_ADMIN") // for reading /proc/PID/net/ns
caps = caps.WithAdd("SYS_PTRACE") // for setting netns to other process
caps = caps.WithAdd("DAC_OVERRIDE") // for reading /proc/PID/environ
}
agentContainer.WithSecurityContext(applyconfcore.SecurityContext().WithCapabilities(caps))
agentContainer.WithCommand(mizuCmd...) agentContainer.WithCommand(mizuCmd...)
agentContainer.WithEnv( agentContainer.WithEnv(
applyconfcore.EnvVar().WithName(shared.LogLevelEnvVar).WithValue(logLevel.String()), applyconfcore.EnvVar().WithName(shared.LogLevelEnvVar).WithValue(logLevel.String()),