falco icon indicating copy to clipboard operation
falco copied to clipboard

Published 20 hours ago verified publisher icon falcosecurity

Replace --privileged flag with explicit set of capabilities

Open mstemm opened this issue 5 years ago • 40 comments

It would be nice if we replaced the --privileged flag with a (smaller) list of capabilities. On our slack channel, Maksym Budonnyy mentioned that he was able to get falco to run properly with these capabilities:

Hi All,
After series of tries, I was able to run Falco in the non-privileged container.
Limitations: I tried only eBPF Falco
set of capabilities:
CAP_SYS_ADMIN - required for the bpf syscall
CAP_SYS_RESOURCE - required to change rlimit
CAP_SYS_NICE
CAP_SYS_PTRACE - to provide  correct access to the /proc for scap_proc_scan_proc_dir??
CAP_FOWNER
CAP_SYS_PACCT

We should double-check and if these work, update our docs and recommended k8s config to use these enumerated capabilities instead.

mstemm avatar May 28 '19 22:05 mstemm

/priority high /kind feature

leodido avatar Jun 12 '19 00:06 leodido

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Aug 11 '19 00:08 stale[bot]

We should keep this on the roadmap.

mstemm avatar Aug 12 '19 16:08 mstemm

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Dec 08 '19 16:12 stale[bot]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Feb 07 '20 12:02 stale[bot]

We still want this

On Fri, 7 Feb 2020 at 13:51, stale[bot] [email protected] wrote:

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/falcosecurity/falco/issues/628?email_source=notifications&email_token=AAA5J454OZ4REAT4ZK4JYALRBVKNDA5CNFSM4HQHXKK2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOELCZ6IQ#issuecomment-583376674, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAA5J43KRKYML7FCWHBC2PDRBVKNDANCNFSM4HQHXKKQ .

-- L.

leodido avatar Feb 07 '20 15:02 leodido

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Apr 07 '20 16:04 stale[bot]

Keeep L.

On Tue, Apr 7, 2020 at 6:29 PM stale[bot] [email protected] wrote:

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/falcosecurity/falco/issues/628#issuecomment-610488887, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAA5J4674Y6X34KXADEJQXDRLNIFNANCNFSM4HQHXKKQ .

leodido avatar Apr 07 '20 17:04 leodido

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Jun 06 '20 18:06 stale[bot]

Keep pls

leogr avatar Jun 14 '20 07:06 leogr

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. Issues labeled "cncf", "roadmap" and "help wanted" will not be automatically closed. Please refer to a maintainer to get such label added if you think this should be kept open.

stale[bot] avatar Aug 14 '20 09:08 stale[bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Nov 22 '20 07:11 poiana

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

poiana avatar Dec 29 '20 09:12 poiana

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community. /close

poiana avatar Jan 28 '21 14:01 poiana

@poiana: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community. /close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

poiana avatar Jan 28 '21 14:01 poiana

Hey @leodido, any updates or roadmap plan on this? It seems all related issues are closed due to 30d inactivity. We are running our Falco pods with securityContext: privileged: true, but we prefer to use explicit set of capabilities instead of pass privileged: true for the container.

Version: 0.26.2

cc: @developer-guy

Dentrax avatar Nov 30 '21 14:11 Dentrax

/reopen

Hey @Dentrax

AFAIK, we currently support that only for the "least privileged" approach, but it comes with some caveats :point_down: https://falco.org/docs/getting-started/running/#docker-least-privileged

leogr avatar Nov 30 '21 17:11 leogr

@leogr: Reopened this issue.

In response to this:

/reopen

Hey @Dentrax

AFAIK, we currently support that only for the "least privileged" approach, but it comes with some caveats :point_down: https://falco.org/docs/getting-started/running/#docker-least-privileged

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

poiana avatar Nov 30 '21 17:11 poiana

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community. /close

poiana avatar Dec 30 '21 21:12 poiana

@poiana: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community. /close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

poiana avatar Dec 30 '21 21:12 poiana

/reopen

jasondellaluce avatar Jan 03 '22 09:01 jasondellaluce

@jasondellaluce: Reopened this issue.

In response to this:

/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

poiana avatar Jan 03 '22 09:01 poiana

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community. /close

poiana avatar Feb 02 '22 15:02 poiana

@poiana: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community. /close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

poiana avatar Feb 02 '22 15:02 poiana

/reopen

/remove-lifecycle rotten

jasondellaluce avatar Feb 02 '22 17:02 jasondellaluce

@jasondellaluce: Reopened this issue.

In response to this:

/reopen

/remove-lifecycle rotten

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

poiana avatar Feb 02 '22 17:02 poiana

@loresuso This issue should be mostly addressed, shouldn't it?

leogr avatar Mar 16 '22 17:03 leogr

Hi @leogr, I wasn't aware of this issue, but yes, I have identified the needed capabilities when using eBPF driver. I have already a PR that got merged recently into the website, and you can find it here. Take a look at it if you're interested, I have tried to explain why each capability is actually needed!

loresuso avatar Mar 16 '22 17:03 loresuso

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Jun 14 '22 18:06 poiana

I still think this is something we have to improve for

/milestone 1.0.0

so

/remove-lifecycle stale

leogr avatar Jun 16 '22 12:06 leogr