tetragon icon indicating copy to clipboard operation
tetragon copied to clipboard
verified publisher icon cilium

How to run terragon operator deployment as user.. not as root

Open chaithraPadmar opened this issue 10 months ago • 2 comments

Is there an existing issue for this?

  • [x] I have searched the existing issues

Is your feature request related to a problem?

Hi, We would like to know, How to run terragon operator deployment as user.. not as root

Describe the feature you would like

Want to know how to install tetragon as user not as root

Describe your proposed solution

No response

Code of Conduct

  • [x] I agree to follow this project's Code of Conduct

chaithraPadmar avatar Feb 11 '25 12:02 chaithraPadmar

I don't believe the tetragon operator runs as root: https://github.com/cilium/tetragon/blob/0d9b619cc8ebc79de196566ed1ebd92186597929/install/kubernetes/tetragon/values.yaml#L259-L266.

kkourt avatar Feb 11 '25 15:02 kkourt

So even if we drop all capabilities it does technically run as root (because Kubernetes and thus the container runtime will start all process as root by default). I think it would be wise to add runAsUser: <someID> to the security context if we can so that we don't even run as root with no capabilities but as a user with no capabilities.

We could even in theory ship this directly in the Dockerfiles manifest so that the runtime starts this by default as non-root.

In the meantime @chaithraPadmar, you can use the securityContext in the helm chart for the tetragon operator deployment to add runAsUser. The name is misleading as the podSecurityContext is the containerSecurityContext and the securityContext is the podSecurityContext it seems from the template: https://github.com/cilium/tetragon/blob/0d9b619cc8ebc79de196566ed1ebd92186597929/install/kubernetes/tetragon/templates/operator_deployment.yaml#L52-L81

We should also maybe fix this naming mistake.

mtardy avatar Feb 28 '25 11:02 mtardy

Happy to take this on if still required @mtardy

calghar avatar Jul 15 '25 20:07 calghar

Happy to take this on if still required @mtardy

sure, it's not really required but would be nice to have if it works smoothly! Less privileges is always good and it should be okay for the operator I think?

mtardy avatar Jul 16 '25 08:07 mtardy

Happy to take this on if still required @mtardy

sure, it's not really required but would be nice to have if it works smoothly! Less privileges is always good and it should be okay for the operator I think?

Cool. Yes, my current understanding is that there is no need for root privileges for the operator to work smoothly. This should be simply doable by adding a user and group id. However, I wonder if it affects access to any dots needed by Tetragon ? 🤔

calghar avatar Jul 16 '25 11:07 calghar