From cf3ce0180b34d49bb3fda58b2dad725673f38e53 Mon Sep 17 00:00:00 2001 From: "M. Mert Yildiran" Date: Mon, 4 Dec 2023 22:39:21 +0300 Subject: [PATCH 1/5] :hammer: Remove the unnecessary Linux capabilities --- helm-chart/templates/09-worker-daemon-set.yaml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/helm-chart/templates/09-worker-daemon-set.yaml b/helm-chart/templates/09-worker-daemon-set.yaml index d791ac1c3..77cfa4c96 100644 --- a/helm-chart/templates/09-worker-daemon-set.yaml +++ b/helm-chart/templates/09-worker-daemon-set.yaml @@ -67,11 +67,10 @@ spec: add: - NET_RAW - NET_ADMIN - - SYS_ADMIN - - SYS_PTRACE - - DAC_OVERRIDE + {{- if not .Values.tap.noKernelModule }} - SYS_MODULE - CHECKPOINT_RESTORE + {{- end }} drop: - ALL readinessProbe: @@ -120,13 +119,10 @@ spec: securityContext: capabilities: add: - - NET_RAW - - NET_ADMIN - SYS_ADMIN - SYS_PTRACE - DAC_OVERRIDE - SYS_RESOURCE - - CHECKPOINT_RESTORE drop: - ALL volumeMounts: From dd91087157eafc8d9207705127339f98e30bd819 Mon Sep 17 00:00:00 2001 From: "M. Mert Yildiran" Date: Mon, 4 Dec 2023 22:49:31 +0300 Subject: [PATCH 2/5] Add comments to explain the required Linux capabilities --- helm-chart/templates/09-worker-daemon-set.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/helm-chart/templates/09-worker-daemon-set.yaml b/helm-chart/templates/09-worker-daemon-set.yaml index 77cfa4c96..f8be1e3d4 100644 --- a/helm-chart/templates/09-worker-daemon-set.yaml +++ b/helm-chart/templates/09-worker-daemon-set.yaml @@ -65,10 +65,14 @@ spec: securityContext: capabilities: add: + # NET_RAW is required to listen the network traffic - NET_RAW + # NET_ADMIN is required to listen the network traffic - NET_ADMIN {{- if not .Values.tap.noKernelModule }} + # SYS_MODULE is required to install kernel modules - SYS_MODULE + # CHECKPOINT_RESTORE is required to readlink /proc/PID/exe (kernel > 5.9) - CHECKPOINT_RESTORE {{- end }} drop: @@ -119,9 +123,13 @@ spec: securityContext: capabilities: add: + # SYS_ADMIN is required to read /proc/PID/net/ns + to install eBPF programs (kernel < 5.8) - SYS_ADMIN + # SYS_PTRACE is required to set netns to other process + to open libssl.so of other process - SYS_PTRACE + # DAC_OVERRIDE is required to read /proc/PID/environ - DAC_OVERRIDE + # SYS_RESOURCE is required to change rlimits for eBPF - SYS_RESOURCE drop: - ALL From 68877b254b4f1bd04a4a20cda20f8c0d61756532 Mon Sep 17 00:00:00 2001 From: "M. Mert Yildiran" Date: Mon, 4 Dec 2023 22:50:19 +0300 Subject: [PATCH 3/5] :hammer: Run `make generate-helm-values && make generate-manifests` --- manifests/complete.yaml | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/manifests/complete.yaml b/manifests/complete.yaml index bd57b6652..0ca3a1eb6 100644 --- a/manifests/complete.yaml +++ b/manifests/complete.yaml @@ -314,12 +314,13 @@ spec: securityContext: capabilities: add: + # NET_RAW is required to listen the network traffic - NET_RAW + # NET_ADMIN is required to listen the network traffic - NET_ADMIN - - SYS_ADMIN - - SYS_PTRACE - - DAC_OVERRIDE + # SYS_MODULE is required to install kernel modules - SYS_MODULE + # CHECKPOINT_RESTORE is required to readlink /proc/PID/exe (kernel > 5.9) - CHECKPOINT_RESTORE drop: - ALL @@ -365,13 +366,14 @@ spec: securityContext: capabilities: add: - - NET_RAW - - NET_ADMIN + # SYS_ADMIN is required to read /proc/PID/net/ns + to install eBPF programs (kernel < 5.8) - SYS_ADMIN + # SYS_PTRACE is required to set netns to other process + to open libssl.so of other process - SYS_PTRACE + # DAC_OVERRIDE is required to read /proc/PID/environ - DAC_OVERRIDE + # SYS_RESOURCE is required to change rlimits for eBPF - SYS_RESOURCE - - CHECKPOINT_RESTORE drop: - ALL volumeMounts: From 6b8beb50ad6ef3f7354adee70cf0a0eac00ced22 Mon Sep 17 00:00:00 2001 From: "M. Mert Yildiran" Date: Mon, 4 Dec 2023 23:31:15 +0300 Subject: [PATCH 4/5] :hammer: Update the capabilities --- helm-chart/templates/09-worker-daemon-set.yaml | 12 ++++++++++-- manifests/complete.yaml | 10 ++++++++-- 2 files changed, 18 insertions(+), 4 deletions(-) diff --git a/helm-chart/templates/09-worker-daemon-set.yaml b/helm-chart/templates/09-worker-daemon-set.yaml index f8be1e3d4..f57cca6b2 100644 --- a/helm-chart/templates/09-worker-daemon-set.yaml +++ b/helm-chart/templates/09-worker-daemon-set.yaml @@ -72,6 +72,14 @@ spec: {{- if not .Values.tap.noKernelModule }} # SYS_MODULE is required to install kernel modules - SYS_MODULE + {{- end }} + {{- if .Values.tap.serviceMesh }} + # SYS_ADMIN is required to read /proc/PID/net/ns + to install eBPF programs (kernel < 5.8) + - SYS_ADMIN + # SYS_PTRACE is required to set netns to other process + to open libssl.so of other process + - SYS_PTRACE + # DAC_OVERRIDE is required to read /proc/PID/environ + - DAC_OVERRIDE # CHECKPOINT_RESTORE is required to readlink /proc/PID/exe (kernel > 5.9) - CHECKPOINT_RESTORE {{- end }} @@ -127,10 +135,10 @@ spec: - SYS_ADMIN # SYS_PTRACE is required to set netns to other process + to open libssl.so of other process - SYS_PTRACE - # DAC_OVERRIDE is required to read /proc/PID/environ - - DAC_OVERRIDE # SYS_RESOURCE is required to change rlimits for eBPF - SYS_RESOURCE + # CHECKPOINT_RESTORE is required to readlink /proc/PID/exe (kernel > 5.9) + - CHECKPOINT_RESTORE drop: - ALL volumeMounts: diff --git a/manifests/complete.yaml b/manifests/complete.yaml index 0ca3a1eb6..595d6fd35 100644 --- a/manifests/complete.yaml +++ b/manifests/complete.yaml @@ -320,6 +320,12 @@ spec: - NET_ADMIN # SYS_MODULE is required to install kernel modules - SYS_MODULE + # SYS_ADMIN is required to read /proc/PID/net/ns + to install eBPF programs (kernel < 5.8) + - SYS_ADMIN + # SYS_PTRACE is required to set netns to other process + to open libssl.so of other process + - SYS_PTRACE + # DAC_OVERRIDE is required to read /proc/PID/environ + - DAC_OVERRIDE # CHECKPOINT_RESTORE is required to readlink /proc/PID/exe (kernel > 5.9) - CHECKPOINT_RESTORE drop: @@ -370,10 +376,10 @@ spec: - SYS_ADMIN # SYS_PTRACE is required to set netns to other process + to open libssl.so of other process - SYS_PTRACE - # DAC_OVERRIDE is required to read /proc/PID/environ - - DAC_OVERRIDE # SYS_RESOURCE is required to change rlimits for eBPF - SYS_RESOURCE + # CHECKPOINT_RESTORE is required to readlink /proc/PID/exe (kernel > 5.9) + - CHECKPOINT_RESTORE drop: - ALL volumeMounts: From 1070d17e20af10ce129b88eb93734766c2109c0d Mon Sep 17 00:00:00 2001 From: Alon Girmonsky <1990761+alongir@users.noreply.github.com> Date: Tue, 5 Dec 2023 00:17:36 -0800 Subject: [PATCH 5/5] Update README.md fixing syntax err --- helm-chart/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm-chart/README.md b/helm-chart/README.md index f71f2d7fe..f9de49a08 100644 --- a/helm-chart/README.md +++ b/helm-chart/README.md @@ -41,7 +41,7 @@ Uninstall Kubeshark: helm uninstall kubeshark ``` -## Accesing +## Accessing Do the port forwarding: