github/kubeshark
1
0
Fork 0
mirror of https://github.com/kubeshark/kubeshark.git synced 2025-09-14 05:40:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add comments to explain the required Linux capabilities

Browse Source
This commit is contained in:
M. Mert Yildiran
2023-12-04 22:49:31 +03:00
parent cf3ce0180b
commit dd91087157
1 changed files with 8 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
helm-chart/templates/09-worker-daemon-set.yaml
View File

@@ -65,10 +65,14 @@ spec:
securityContext: securityContext:
capabilities: capabilities:
add: add:
# NET_RAW is required to listen the network traffic
- NET_RAW - NET_RAW
# NET_ADMIN is required to listen the network traffic
- NET_ADMIN - NET_ADMIN
{{- if not .Values.tap.noKernelModule }} {{- if not .Values.tap.noKernelModule }}
# SYS_MODULE is required to install kernel modules
- SYS_MODULE - SYS_MODULE
# CHECKPOINT_RESTORE is required to readlink /proc/PID/exe (kernel > 5.9)
- CHECKPOINT_RESTORE - CHECKPOINT_RESTORE
{{- end }} {{- end }}
drop: drop:
@@ -119,9 +123,13 @@ spec:
securityContext: securityContext:
capabilities: capabilities:
add: add:
# SYS_ADMIN is required to read /proc/PID/net/ns + to install eBPF programs (kernel < 5.8)
- SYS_ADMIN - SYS_ADMIN
# SYS_PTRACE is required to set netns to other process + to open libssl.so of other process
- SYS_PTRACE - SYS_PTRACE
# DAC_OVERRIDE is required to read /proc/PID/environ
- DAC_OVERRIDE - DAC_OVERRIDE
# SYS_RESOURCE is required to change rlimits for eBPF
- SYS_RESOURCE - SYS_RESOURCE
drop: drop:
- ALL - ALL