From 7eef5efcd97409a05dbf0874effb601ae4f0042b Mon Sep 17 00:00:00 2001 From: Alon Girmonsky <1990761+alongir@users.noreply.github.com> Date: Mon, 23 Dec 2024 16:49:54 -0800 Subject: [PATCH] Added security capabilities, especially IPC_LOCK (#1671) to Sniffer in case eBPF traffic capture mechanism is used. --- helm-chart/templates/09-worker-daemon-set.yaml | 5 +++++ helm-chart/values.yaml | 6 +----- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/helm-chart/templates/09-worker-daemon-set.yaml b/helm-chart/templates/09-worker-daemon-set.yaml index 15d76be1c..5119e42ac 100644 --- a/helm-chart/templates/09-worker-daemon-set.yaml +++ b/helm-chart/templates/09-worker-daemon-set.yaml @@ -155,6 +155,11 @@ spec: {{ print "- " . }} {{- end }} {{- end }} + {{- if .Values.tap.capabilities.ebpfCapture }} + {{- range .Values.tap.capabilities.ebpfCapture }} + {{ print "- " . }} + {{- end }} + {{- end }} drop: - ALL readinessProbe: diff --git a/helm-chart/values.yaml b/helm-chart/values.yaml index 15b1638c4..bf402e6fc 100644 --- a/helm-chart/values.yaml +++ b/helm-chart/values.yaml @@ -85,10 +85,6 @@ tap: filter: "" canDownloadPCAP: true canUseScripting: true - scriptingPermissions: - canSave: true - canActivate: true - canDelete: true canUpdateTargetedPods: true canStopTrafficCapturing: true showAdminConsoleLink: true @@ -121,7 +117,6 @@ tap: - SYS_ADMIN - SYS_PTRACE - DAC_OVERRIDE - - IPC_LOCK ebpfCapture: - SYS_ADMIN - SYS_PTRACE @@ -165,6 +160,7 @@ pcapdump: maxTime: 1h maxSize: 500MB pcapSrcDir: pcapdump + time: time kube: configPath: "" context: ""