🔨 Move the list of Linux capabilities into values.yaml

2025-09-16 06:46:12 +00:00 · 2023-12-27 13:14:53 +03:00
parent ea3eecfa04
commit c1fc4447ef
5 changed files with 68 additions and 33 deletions
--- a/helm-chart/templates/09-worker-daemon-set.yaml
+++ b/helm-chart/templates/09-worker-daemon-set.yaml
@@ -65,23 +65,18 @@ spec:
          securityContext:
            capabilities:
              add:
-                # NET_RAW is required to listen the network traffic
-                - NET_RAW
-                # NET_ADMIN is required to listen the network traffic
-                - NET_ADMIN
+                {{- range .Values.tap.capabilities.networkCapture }}
+                {{ print "- " . }}
+                {{- end }}
                {{- if not .Values.tap.noKernelModule }}
-                # SYS_MODULE is required to install kernel modules
-                - SYS_MODULE
+                {{- range .Values.tap.capabilities.kernelModule }}
+                {{ print "- " . }}
+                {{- end }}
                {{- end }}
                {{- if .Values.tap.serviceMesh }}
-                # SYS_ADMIN is required to read /proc/PID/net/ns + to install eBPF programs (kernel < 5.8)
-                - SYS_ADMIN
-                # SYS_PTRACE is required to set netns to other process + to open libssl.so of other process
-                - SYS_PTRACE
-                # DAC_OVERRIDE is required to read /proc/PID/environ
-                - DAC_OVERRIDE
-                # CHECKPOINT_RESTORE is required to readlink /proc/PID/exe (kernel > 5.9)
-                - CHECKPOINT_RESTORE
+                {{- range .Values.tap.capabilities.serviceMeshCapture }}
+                {{ print "- " . }}
+                {{- end }}
                {{- end }}
              drop:
                - ALL
@@ -131,14 +126,9 @@ spec:
          securityContext:
            capabilities:
              add:
-                # SYS_ADMIN is required to read /proc/PID/net/ns + to install eBPF programs (kernel < 5.8)
-                - SYS_ADMIN
-                # SYS_PTRACE is required to set netns to other process + to open libssl.so of other process
-                - SYS_PTRACE
-                # SYS_RESOURCE is required to change rlimits for eBPF
-                - SYS_RESOURCE
-                # CHECKPOINT_RESTORE is required to readlink /proc/PID/exe (kernel > 5.9)
-                - CHECKPOINT_RESTORE
+                {{- range .Values.tap.capabilities.ebpfCapture }}
+                {{ print "- " . }}
+                {{- end }}
              drop:
                - ALL
          volumeMounts:
--- a/helm-chart/values.yaml
+++ b/helm-chart/values.yaml
@@ -68,6 +68,22 @@ tap:
    enabled: true
  defaultFilter: ""
  replayDisabled: false
+  capabilities:
+    networkCapture:
+    - NET_RAW
+    - NET_ADMIN
+    serviceMeshCapture:
+    - SYS_ADMIN
+    - SYS_PTRACE
+    - DAC_OVERRIDE
+    - CHECKPOINT_RESTORE
+    kernelModule:
+    - SYS_MODULE
+    ebpfCapture:
+    - SYS_ADMIN
+    - SYS_PTRACE
+    - SYS_RESOURCE
+    - CHECKPOINT_RESTORE
 logs:
  file: ""
 kube: