mirror of
https://github.com/kubeshark/kubeshark.git
synced 2025-06-21 22:08:59 +00:00
🔨 Move the list of Linux capabilities into values.yaml
This commit is contained in:
M. Mert Yildiran
parent
ea3eecfa04
commit
c1fc4447ef
@ -27,6 +27,38 @@ func CreateDefaultConfig() ConfigStruct {
|
|||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
Capabilities: configStructs.CapabilitiesConfig{
|
||||||
|
NetworkCapture: []string{
|
||||||
|
// NET_RAW is required to listen the network traffic
|
||||||
|
"NET_RAW",
|
||||||
|
// NET_ADMIN is required to listen the network traffic
|
||||||
|
"NET_ADMIN",
|
||||||
|
},
|
||||||
|
ServiceMeshCapture: []string{
|
||||||
|
// SYS_ADMIN is required to read /proc/PID/net/ns + to install eBPF programs (kernel < 5.8)
|
||||||
|
"SYS_ADMIN",
|
||||||
|
// SYS_PTRACE is required to set netns to other process + to open libssl.so of other process
|
||||||
|
"SYS_PTRACE",
|
||||||
|
// DAC_OVERRIDE is required to read /proc/PID/environ
|
||||||
|
"DAC_OVERRIDE",
|
||||||
|
// CHECKPOINT_RESTORE is required to readlink /proc/PID/exe (kernel > 5.9)
|
||||||
|
"CHECKPOINT_RESTORE",
|
||||||
|
},
|
||||||
|
KernelModule: []string{
|
||||||
|
// SYS_MODULE is required to install kernel modules
|
||||||
|
"SYS_MODULE",
|
||||||
|
},
|
||||||
|
EBPFCapture: []string{
|
||||||
|
// SYS_ADMIN is required to read /proc/PID/net/ns + to install eBPF programs (kernel < 5.8)
|
||||||
|
"SYS_ADMIN",
|
||||||
|
// SYS_PTRACE is required to set netns to other process + to open libssl.so of other process
|
||||||
|
"SYS_PTRACE",
|
||||||
|
// SYS_RESOURCE is required to change rlimits for eBPF
|
||||||
|
"SYS_RESOURCE",
|
||||||
|
// CHECKPOINT_RESTORE is required to readlink /proc/PID/exe (kernel > 5.9)
|
||||||
|
"CHECKPOINT_RESTORE",
|
||||||
|
},
|
||||||
|
},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -106,6 +106,13 @@ type TelemetryConfig struct {
|
|||||||
Enabled bool `yaml:"enabled" json:"enabled" default:"true"`
|
Enabled bool `yaml:"enabled" json:"enabled" default:"true"`
|
||||||
}
|
}
|
||||||
|
|
||||||
|
type CapabilitiesConfig struct {
|
||||||
|
NetworkCapture []string `yaml:"networkCapture" json:"networkCapture" default:"[]"`
|
||||||
|
ServiceMeshCapture []string `yaml:"serviceMeshCapture" json:"serviceMeshCapture" default:"[]"`
|
||||||
|
KernelModule []string `yaml:"kernelModule" json:"kernelModule" default:"[]"`
|
||||||
|
EBPFCapture []string `yaml:"ebpfCapture" json:"ebpfCapture" default:"[]"`
|
||||||
|
}
|
||||||
|
|
||||||
type TapConfig struct {
|
type TapConfig struct {
|
||||||
Docker DockerConfig `yaml:"docker" json:"docker"`
|
Docker DockerConfig `yaml:"docker" json:"docker"`
|
||||||
Proxy ProxyConfig `yaml:"proxy" json:"proxy"`
|
Proxy ProxyConfig `yaml:"proxy" json:"proxy"`
|
||||||
@ -133,6 +140,7 @@ type TapConfig struct {
|
|||||||
Telemetry TelemetryConfig `yaml:"telemetry" json:"telemetry"`
|
Telemetry TelemetryConfig `yaml:"telemetry" json:"telemetry"`
|
||||||
DefaultFilter string `yaml:"defaultFilter" json:"defaultFilter"`
|
DefaultFilter string `yaml:"defaultFilter" json:"defaultFilter"`
|
||||||
ReplayDisabled bool `yaml:"replayDisabled" json:"replayDisabled" default:"false"`
|
ReplayDisabled bool `yaml:"replayDisabled" json:"replayDisabled" default:"false"`
|
||||||
|
Capabilities CapabilitiesConfig `yaml:"capabilities" json:"capabilities"`
|
||||||
}
|
}
|
||||||
|
|
||||||
func (config *TapConfig) PodRegex() *regexp.Regexp {
|
func (config *TapConfig) PodRegex() *regexp.Regexp {
|
||||||
|
|||||||
@ -65,23 +65,18 @@ spec:
|
|||||||
securityContext:
|
securityContext:
|
||||||
capabilities:
|
capabilities:
|
||||||
add:
|
add:
|
||||||
# NET_RAW is required to listen the network traffic
|
{{- range .Values.tap.capabilities.networkCapture }}
|
||||||
- NET_RAW
|
{{ print "- " . }}
|
||||||
# NET_ADMIN is required to listen the network traffic
|
{{- end }}
|
||||||
- NET_ADMIN
|
|
||||||
{{- if not .Values.tap.noKernelModule }}
|
{{- if not .Values.tap.noKernelModule }}
|
||||||
# SYS_MODULE is required to install kernel modules
|
{{- range .Values.tap.capabilities.kernelModule }}
|
||||||
- SYS_MODULE
|
{{ print "- " . }}
|
||||||
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- if .Values.tap.serviceMesh }}
|
{{- if .Values.tap.serviceMesh }}
|
||||||
# SYS_ADMIN is required to read /proc/PID/net/ns + to install eBPF programs (kernel < 5.8)
|
{{- range .Values.tap.capabilities.serviceMeshCapture }}
|
||||||
- SYS_ADMIN
|
{{ print "- " . }}
|
||||||
# SYS_PTRACE is required to set netns to other process + to open libssl.so of other process
|
{{- end }}
|
||||||
- SYS_PTRACE
|
|
||||||
# DAC_OVERRIDE is required to read /proc/PID/environ
|
|
||||||
- DAC_OVERRIDE
|
|
||||||
# CHECKPOINT_RESTORE is required to readlink /proc/PID/exe (kernel > 5.9)
|
|
||||||
- CHECKPOINT_RESTORE
|
|
||||||
{{- end }}
|
{{- end }}
|
||||||
drop:
|
drop:
|
||||||
- ALL
|
- ALL
|
||||||
@ -131,14 +126,9 @@ spec:
|
|||||||
securityContext:
|
securityContext:
|
||||||
capabilities:
|
capabilities:
|
||||||
add:
|
add:
|
||||||
# SYS_ADMIN is required to read /proc/PID/net/ns + to install eBPF programs (kernel < 5.8)
|
{{- range .Values.tap.capabilities.ebpfCapture }}
|
||||||
- SYS_ADMIN
|
{{ print "- " . }}
|
||||||
# SYS_PTRACE is required to set netns to other process + to open libssl.so of other process
|
{{- end }}
|
||||||
- SYS_PTRACE
|
|
||||||
# SYS_RESOURCE is required to change rlimits for eBPF
|
|
||||||
- SYS_RESOURCE
|
|
||||||
# CHECKPOINT_RESTORE is required to readlink /proc/PID/exe (kernel > 5.9)
|
|
||||||
- CHECKPOINT_RESTORE
|
|
||||||
drop:
|
drop:
|
||||||
- ALL
|
- ALL
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
|
|||||||
@ -68,6 +68,22 @@ tap:
|
|||||||
enabled: true
|
enabled: true
|
||||||
defaultFilter: ""
|
defaultFilter: ""
|
||||||
replayDisabled: false
|
replayDisabled: false
|
||||||
|
capabilities:
|
||||||
|
networkCapture:
|
||||||
|
- NET_RAW
|
||||||
|
- NET_ADMIN
|
||||||
|
serviceMeshCapture:
|
||||||
|
- SYS_ADMIN
|
||||||
|
- SYS_PTRACE
|
||||||
|
- DAC_OVERRIDE
|
||||||
|
- CHECKPOINT_RESTORE
|
||||||
|
kernelModule:
|
||||||
|
- SYS_MODULE
|
||||||
|
ebpfCapture:
|
||||||
|
- SYS_ADMIN
|
||||||
|
- SYS_PTRACE
|
||||||
|
- SYS_RESOURCE
|
||||||
|
- CHECKPOINT_RESTORE
|
||||||
logs:
|
logs:
|
||||||
file: ""
|
file: ""
|
||||||
kube:
|
kube:
|
||||||
|
|||||||
@ -315,19 +315,12 @@ spec:
|
|||||||
securityContext:
|
securityContext:
|
||||||
capabilities:
|
capabilities:
|
||||||
add:
|
add:
|
||||||
# NET_RAW is required to listen the network traffic
|
|
||||||
- NET_RAW
|
- NET_RAW
|
||||||
# NET_ADMIN is required to listen the network traffic
|
|
||||||
- NET_ADMIN
|
- NET_ADMIN
|
||||||
# SYS_MODULE is required to install kernel modules
|
|
||||||
- SYS_MODULE
|
- SYS_MODULE
|
||||||
# SYS_ADMIN is required to read /proc/PID/net/ns + to install eBPF programs (kernel < 5.8)
|
|
||||||
- SYS_ADMIN
|
- SYS_ADMIN
|
||||||
# SYS_PTRACE is required to set netns to other process + to open libssl.so of other process
|
|
||||||
- SYS_PTRACE
|
- SYS_PTRACE
|
||||||
# DAC_OVERRIDE is required to read /proc/PID/environ
|
|
||||||
- DAC_OVERRIDE
|
- DAC_OVERRIDE
|
||||||
# CHECKPOINT_RESTORE is required to readlink /proc/PID/exe (kernel > 5.9)
|
|
||||||
- CHECKPOINT_RESTORE
|
- CHECKPOINT_RESTORE
|
||||||
drop:
|
drop:
|
||||||
- ALL
|
- ALL
|
||||||
@ -373,13 +366,9 @@ spec:
|
|||||||
securityContext:
|
securityContext:
|
||||||
capabilities:
|
capabilities:
|
||||||
add:
|
add:
|
||||||
# SYS_ADMIN is required to read /proc/PID/net/ns + to install eBPF programs (kernel < 5.8)
|
|
||||||
- SYS_ADMIN
|
- SYS_ADMIN
|
||||||
# SYS_PTRACE is required to set netns to other process + to open libssl.so of other process
|
|
||||||
- SYS_PTRACE
|
- SYS_PTRACE
|
||||||
# SYS_RESOURCE is required to change rlimits for eBPF
|
|
||||||
- SYS_RESOURCE
|
- SYS_RESOURCE
|
||||||
# CHECKPOINT_RESTORE is required to readlink /proc/PID/exe (kernel > 5.9)
|
|
||||||
- CHECKPOINT_RESTORE
|
- CHECKPOINT_RESTORE
|
||||||
drop:
|
drop:
|
||||||
- ALL
|
- ALL
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user