charts icon indicating copy to clipboard operation
charts copied to clipboard

Published 20 hours ago verified publisher icon falcosecurity

Deployment Falco Pods may not need to be run as root (e.g. in the K8s audit plugin usecase)

Open PhilipSchmid opened this issue 1 year ago • 18 comments

Motivation

With the introduction of the new Falco plugin system and the new 2.X Helm charts, it's not always really required to run the Falco pod as root. Nevertheless, Falco still does this which could often violate security policies (PSP, OPA, etc.).

Feature

I think it would make sense to introduce a flag which allows one to configure (or simply override?) the used service user from root to something else. I think we could even by default set the user to UID 1000 whenever the syscall event source is disabled. Of course, I would still add a values.yaml flag to override this default behavior in case some plugins still have the requirement to run as root.

Alternatives

At the moment this could already be done via the following Helm values but there's probably a nicer way to do that automatically (as mentioned above, e.g. whenever the syscall event source is disabled):

podSecurityContext:
  runAsUser: 1000

Additional context

Please let me know what you think about that. If you agree, I could create a PR in the near future.

Thanks & regards, Philip

PhilipSchmid avatar Jul 26 '22 07:07 PhilipSchmid

It looks like a good idea, but it may have some side effects (which I don't recall by heart).

@falcosecurity/deploy-kubernetes-maintainers and @falcosecurity/charts-maintainers wdyt? also cc @alacuku

leogr avatar Aug 23 '22 15:08 leogr

I like the idea and I can't remember of any other use case (apart from syscalls) where root is required, so +1 from me

zuc avatar Aug 24 '22 15:08 zuc

Looks a good idea to me too. Moreover, what about enabling also to select specific capabilities, still avoiding uid 0?

maxgio92 avatar Aug 24 '22 17:08 maxgio92

We can write a helper that is evaluated when the syscall event source is disabled. Users can still overwrite the default behavior by setting the podSecurityContext.

+1 from me!

alacuku avatar Aug 30 '22 06:08 alacuku

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Nov 28 '22 09:11 poiana

/remove-lifecycle stale

Will implement this in the next days. Sorry for the delay.

PhilipSchmid avatar Dec 15 '22 15:12 PhilipSchmid

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Mar 15 '23 15:03 poiana

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

poiana avatar Apr 15 '23 01:04 poiana

/remove-lifecycle rotten

leogr avatar Apr 27 '23 09:04 leogr

/help

leogr avatar Apr 27 '23 09:04 leogr

@leogr: This request has been marked as needing help from a contributor.

Please ensure the request meets the requirements listed here.

If this request no longer meets these requirements, the label can be removed by commenting with the /remove-help command.

In response to this:

/help

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

poiana avatar Apr 27 '23 09:04 poiana

Sorry I'm not using Falco anymore and I therefore won't implement this any time soon. If anybody wants to implement it, please feel free to take it over 😉 .

PhilipSchmid avatar Jun 21 '23 17:06 PhilipSchmid

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Sep 19 '23 21:09 poiana

/remove-lifecycle stale /assign @alacuku

leogr avatar Sep 21 '23 12:09 leogr

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Dec 20 '23 15:12 poiana

/remove-lifecycle stale

leogr avatar Dec 20 '23 17:12 leogr

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Mar 19 '24 21:03 poiana

/remove-lifecycle stale

Andreagit97 avatar Mar 20 '24 07:03 Andreagit97