diff --git a/helm-chart/README.md b/helm-chart/README.md index f2c325b5a..3673325e0 100644 --- a/helm-chart/README.md +++ b/helm-chart/README.md @@ -41,7 +41,7 @@ Uninstall Kubeshark: helm uninstall kubeshark ``` -## Accesing +## Accessing Do the port forwarding: diff --git a/helm-chart/templates/09-worker-daemon-set.yaml b/helm-chart/templates/09-worker-daemon-set.yaml index d791ac1c3..f57cca6b2 100644 --- a/helm-chart/templates/09-worker-daemon-set.yaml +++ b/helm-chart/templates/09-worker-daemon-set.yaml @@ -65,13 +65,24 @@ spec: securityContext: capabilities: add: + # NET_RAW is required to listen the network traffic - NET_RAW + # NET_ADMIN is required to listen the network traffic - NET_ADMIN - - SYS_ADMIN - - SYS_PTRACE - - DAC_OVERRIDE + {{- if not .Values.tap.noKernelModule }} + # SYS_MODULE is required to install kernel modules - SYS_MODULE + {{- end }} + {{- if .Values.tap.serviceMesh }} + # SYS_ADMIN is required to read /proc/PID/net/ns + to install eBPF programs (kernel < 5.8) + - SYS_ADMIN + # SYS_PTRACE is required to set netns to other process + to open libssl.so of other process + - SYS_PTRACE + # DAC_OVERRIDE is required to read /proc/PID/environ + - DAC_OVERRIDE + # CHECKPOINT_RESTORE is required to readlink /proc/PID/exe (kernel > 5.9) - CHECKPOINT_RESTORE + {{- end }} drop: - ALL readinessProbe: @@ -120,12 +131,13 @@ spec: securityContext: capabilities: add: - - NET_RAW - - NET_ADMIN + # SYS_ADMIN is required to read /proc/PID/net/ns + to install eBPF programs (kernel < 5.8) - SYS_ADMIN + # SYS_PTRACE is required to set netns to other process + to open libssl.so of other process - SYS_PTRACE - - DAC_OVERRIDE + # SYS_RESOURCE is required to change rlimits for eBPF - SYS_RESOURCE + # CHECKPOINT_RESTORE is required to readlink /proc/PID/exe (kernel > 5.9) - CHECKPOINT_RESTORE drop: - ALL diff --git a/manifests/complete.yaml b/manifests/complete.yaml index bd57b6652..595d6fd35 100644 --- a/manifests/complete.yaml +++ b/manifests/complete.yaml @@ -314,12 +314,19 @@ spec: securityContext: capabilities: add: + # NET_RAW is required to listen the network traffic - NET_RAW + # NET_ADMIN is required to listen the network traffic - NET_ADMIN - - SYS_ADMIN - - SYS_PTRACE - - DAC_OVERRIDE + # SYS_MODULE is required to install kernel modules - SYS_MODULE + # SYS_ADMIN is required to read /proc/PID/net/ns + to install eBPF programs (kernel < 5.8) + - SYS_ADMIN + # SYS_PTRACE is required to set netns to other process + to open libssl.so of other process + - SYS_PTRACE + # DAC_OVERRIDE is required to read /proc/PID/environ + - DAC_OVERRIDE + # CHECKPOINT_RESTORE is required to readlink /proc/PID/exe (kernel > 5.9) - CHECKPOINT_RESTORE drop: - ALL @@ -365,12 +372,13 @@ spec: securityContext: capabilities: add: - - NET_RAW - - NET_ADMIN + # SYS_ADMIN is required to read /proc/PID/net/ns + to install eBPF programs (kernel < 5.8) - SYS_ADMIN + # SYS_PTRACE is required to set netns to other process + to open libssl.so of other process - SYS_PTRACE - - DAC_OVERRIDE + # SYS_RESOURCE is required to change rlimits for eBPF - SYS_RESOURCE + # CHECKPOINT_RESTORE is required to readlink /proc/PID/exe (kernel > 5.9) - CHECKPOINT_RESTORE drop: - ALL