🔨 Update the capabilities

2025-07-16 09:26:39 +00:00 · 2023-12-04 23:31:15 +03:00 · 2023-12-04 23:31:15 +03:00 · 6b8beb50ad
commit 6b8beb50ad
parent 68877b254b
2 changed files with 18 additions and 4 deletions
--- a/helm-chart/templates/09-worker-daemon-set.yaml
+++ b/helm-chart/templates/09-worker-daemon-set.yaml
@ -72,6 +72,14 @@ spec:
                {{- if not .Values.tap.noKernelModule }}
                # SYS_MODULE is required to install kernel modules
                - SYS_MODULE
+                {{- end }}
+                {{- if .Values.tap.serviceMesh }}
+                # SYS_ADMIN is required to read /proc/PID/net/ns + to install eBPF programs (kernel < 5.8)
+                - SYS_ADMIN
+                # SYS_PTRACE is required to set netns to other process + to open libssl.so of other process
+                - SYS_PTRACE
+                # DAC_OVERRIDE is required to read /proc/PID/environ
+                - DAC_OVERRIDE
                # CHECKPOINT_RESTORE is required to readlink /proc/PID/exe (kernel > 5.9)
                - CHECKPOINT_RESTORE
                {{- end }}
@ -127,10 +135,10 @@ spec:
                - SYS_ADMIN
                # SYS_PTRACE is required to set netns to other process + to open libssl.so of other process
                - SYS_PTRACE
-                # DAC_OVERRIDE is required to read /proc/PID/environ
-                - DAC_OVERRIDE
                # SYS_RESOURCE is required to change rlimits for eBPF
                - SYS_RESOURCE
+                # CHECKPOINT_RESTORE is required to readlink /proc/PID/exe (kernel > 5.9)
+                - CHECKPOINT_RESTORE
              drop:
                - ALL
          volumeMounts:
--- a/manifests/complete.yaml
+++ b/manifests/complete.yaml
@ -320,6 +320,12 @@ spec:
                - NET_ADMIN
                # SYS_MODULE is required to install kernel modules
                - SYS_MODULE
+                # SYS_ADMIN is required to read /proc/PID/net/ns + to install eBPF programs (kernel < 5.8)
+                - SYS_ADMIN
+                # SYS_PTRACE is required to set netns to other process + to open libssl.so of other process
+                - SYS_PTRACE
+                # DAC_OVERRIDE is required to read /proc/PID/environ
+                - DAC_OVERRIDE
                # CHECKPOINT_RESTORE is required to readlink /proc/PID/exe (kernel > 5.9)
                - CHECKPOINT_RESTORE
              drop:
@ -370,10 +376,10 @@ spec:
                - SYS_ADMIN
                # SYS_PTRACE is required to set netns to other process + to open libssl.so of other process
                - SYS_PTRACE
-                # DAC_OVERRIDE is required to read /proc/PID/environ
-                - DAC_OVERRIDE
                # SYS_RESOURCE is required to change rlimits for eBPF
                - SYS_RESOURCE
+                # CHECKPOINT_RESTORE is required to readlink /proc/PID/exe (kernel > 5.9)
+                - CHECKPOINT_RESTORE
              drop:
                - ALL
          volumeMounts: