github/kubeshark
1
0
Fork 0
mirror of https://github.com/kubeshark/kubeshark.git synced 2025-07-04 11:58:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

Added security capabilities, especially IPC_LOCK (#1671)

Browse Source 
to Sniffer in case eBPF traffic capture mechanism is used.
This commit is contained in:
Alon Girmonsky 2024-12-23 16:49:54 -08:00 committed by GitHub
parent af47154a8d
commit 7eef5efcd9
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 6 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
helm-chart/templates/09-worker-daemon-set.yaml
View File

@ -155,6 +155,11 @@ spec:
{{ print "- " . }} {{ print "- " . }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- if .Values.tap.capabilities.ebpfCapture }}
{{- range .Values.tap.capabilities.ebpfCapture }}
{{ print "- " . }}
{{- end }}
{{- end }}
drop: drop:
- ALL - ALL
readinessProbe: readinessProbe:

6
helm-chart/values.yaml
View File

@ -85,10 +85,6 @@ tap:
filter: "" filter: ""
canDownloadPCAP: true canDownloadPCAP: true
canUseScripting: true canUseScripting: true
scriptingPermissions:
canSave: true
canActivate: true
canDelete: true
canUpdateTargetedPods: true canUpdateTargetedPods: true
canStopTrafficCapturing: true canStopTrafficCapturing: true
showAdminConsoleLink: true showAdminConsoleLink: true
@ -121,7 +117,6 @@ tap:
- SYS_ADMIN - SYS_ADMIN
- SYS_PTRACE - SYS_PTRACE
- DAC_OVERRIDE - DAC_OVERRIDE
- IPC_LOCK
ebpfCapture: ebpfCapture:
- SYS_ADMIN - SYS_ADMIN
- SYS_PTRACE - SYS_PTRACE
@ -165,6 +160,7 @@ pcapdump:
maxTime: 1h maxTime: 1h
maxSize: 500MB maxSize: 500MB
pcapSrcDir: pcapdump pcapSrcDir: pcapdump
time: time
kube: kube:
configPath: "" configPath: ""
context: "" context: ""