Added security capabilities, especially IPC_LOCK (#1671)

to Sniffer in case eBPF traffic capture mechanism is used.
2025-07-01 18:44:59 +00:00 · 2024-12-23 16:49:54 -08:00 · 2024-12-23 16:49:54 -08:00 · 7eef5efcd9
commit 7eef5efcd9
parent af47154a8d
2 changed files with 6 additions and 5 deletions
--- a/helm-chart/templates/09-worker-daemon-set.yaml
+++ b/helm-chart/templates/09-worker-daemon-set.yaml
@ -155,6 +155,11 @@ spec:
                {{ print "- " . }}
                {{- end }}
                {{- end }}
+                {{- if .Values.tap.capabilities.ebpfCapture }}
+                {{- range .Values.tap.capabilities.ebpfCapture }}
+                {{ print "- " . }}
+                {{- end }}
+                {{- end }}
              drop:
                - ALL
          readinessProbe:
--- a/helm-chart/values.yaml
+++ b/helm-chart/values.yaml
@ -85,10 +85,6 @@ tap:
          filter: ""
          canDownloadPCAP: true
          canUseScripting: true
-          scriptingPermissions:
-            canSave: true
-            canActivate: true
-            canDelete: true
          canUpdateTargetedPods: true
          canStopTrafficCapturing: true
          showAdminConsoleLink: true
@ -121,7 +117,6 @@ tap:
    - SYS_ADMIN
    - SYS_PTRACE
    - DAC_OVERRIDE
-    - IPC_LOCK
    ebpfCapture:
    - SYS_ADMIN
    - SYS_PTRACE
@ -165,6 +160,7 @@ pcapdump:
  maxTime: 1h
  maxSize: 500MB
  pcapSrcDir: pcapdump
+  time: time
 kube:
  configPath: ""
  context: ""