github/kubeshark
1
0
Fork 0
mirror of https://github.com/kubeshark/kubeshark.git synced 2025-08-09 12:29:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

🔨 Remove CHECKPOINT_RESTORE capability from defaults

Browse Source
This commit is contained in:
M. Mert Yildiran 2024-02-26 21:40:14 +03:00
parent 09afa1983a
commit 8fe0544175
No known key found for this signature in database
GPG Key ID: DA5D6DCBB758A461
4 changed files with 0 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
config/configStruct.go
View File

@ -41,8 +41,6 @@ func CreateDefaultConfig() ConfigStruct {
"SYS_PTRACE", "SYS_PTRACE",
// DAC_OVERRIDE is required to read /proc/PID/environ // DAC_OVERRIDE is required to read /proc/PID/environ
"DAC_OVERRIDE", "DAC_OVERRIDE",
// CHECKPOINT_RESTORE is required to readlink /proc/PID/exe (kernel > 5.9)
"CHECKPOINT_RESTORE",
}, },
KernelModule: []string{ KernelModule: []string{
// SYS_MODULE is required to install kernel modules // SYS_MODULE is required to install kernel modules
@ -55,8 +53,6 @@ func CreateDefaultConfig() ConfigStruct {
"SYS_PTRACE", "SYS_PTRACE",
// SYS_RESOURCE is required to change rlimits for eBPF // SYS_RESOURCE is required to change rlimits for eBPF
"SYS_RESOURCE", "SYS_RESOURCE",
// CHECKPOINT_RESTORE is required to readlink /proc/PID/exe (kernel > 5.9)
"CHECKPOINT_RESTORE",
// IPC_LOCK is required for ebpf perf rings (kernel > ) // IPC_LOCK is required for ebpf perf rings (kernel > )
"IPC_LOCK", "IPC_LOCK",
}, },

1
helm-chart/templates/14-openshift-security-context-constraints.yaml
View File

@ -27,7 +27,6 @@ allowedCapabilities:
- SYS_PTRACE - SYS_PTRACE
- DAC_OVERRIDE - DAC_OVERRIDE
- SYS_RESOURCE - SYS_RESOURCE
- CHECKPOINT_RESTORE
- SYS_MODULE - SYS_MODULE
runAsUser: runAsUser:
type: RunAsAny type: RunAsAny

2
helm-chart/values.yaml
View File

@ -97,14 +97,12 @@ tap:
- SYS_ADMIN - SYS_ADMIN
- SYS_PTRACE - SYS_PTRACE
- DAC_OVERRIDE - DAC_OVERRIDE
- CHECKPOINT_RESTORE
kernelModule: kernelModule:
- SYS_MODULE - SYS_MODULE
ebpfCapture: ebpfCapture:
- SYS_ADMIN - SYS_ADMIN
- SYS_PTRACE - SYS_PTRACE
- SYS_RESOURCE - SYS_RESOURCE
- CHECKPOINT_RESTORE
- IPC_LOCK - IPC_LOCK
globalFilter: "" globalFilter: ""
metrics: metrics:

2
manifests/complete.yaml
View File

@ -425,7 +425,6 @@ spec:
- SYS_ADMIN - SYS_ADMIN
- SYS_PTRACE - SYS_PTRACE
- DAC_OVERRIDE - DAC_OVERRIDE
- CHECKPOINT_RESTORE
drop: drop:
- ALL - ALL
readinessProbe: readinessProbe:
@ -480,7 +479,6 @@ spec:
- SYS_ADMIN - SYS_ADMIN
- SYS_PTRACE - SYS_PTRACE
- SYS_RESOURCE - SYS_RESOURCE
- CHECKPOINT_RESTORE
- IPC_LOCK - IPC_LOCK
drop: drop:
- ALL - ALL