tetragon capabilities support: instead of using privileged permission, is there any plan for providing more precise capability configurations

capabilities support: instead of using privileged permission, is there any plan for providing more precise capability configurations

Open singchia opened this issue 1 year ago • 2 comments

Is there an existing issue for this?

[X] I have searched the existing issues

Is your feature request related to a problem?

Our k8s admission control prevents privileged pods from execution, can tetragon only takes CAP_BPF?

Describe the feature you would like

allow we run container or pod like:

docker: remove --privildged
k8s: securityContext: allowPrivilegeEscalation: false

Describe your proposed solution

No response

Code of Conduct

[X] I agree to follow this project's Code of Conduct

Nov 17 '23 04:11 singchia

Thanks for creating this issue.

Our k8s admission control prevents privileged pods from execution, can tetragon only takes CAP_BPF?

Having Tetragon only use the capabilities it needs definitely makes sense. There are still some things that we go beyond CAP_BPF and we would need to figure out how to do. One of them is access to (the host) /proc for scanning the existing processes.

Nov 27 '23 06:11 kkourt

I' working on the privileges collection.

Dec 19 '23 07:12 singchia

tetragon tetragon copied to clipboard

capabilities support: instead of using privileged permission, is there any plan for providing more precise capability configurations

Is there an existing issue for this?

Is your feature request related to a problem?

Describe the feature you would like

Describe your proposed solution

Code of Conduct

tetragon
tetragon copied to clipboard