beyla
beyla copied to clipboard
grafana
beyla is trying to write the root filesystem
following k8s security best practices - for example https://cloud.google.com/architecture/best-practices-for-building-containers#file_system_security - if you run beyla with
securityContext:
privileged: true
readOnlyRootFilesystem: true
you get
$ kubectl logs -f beyla-75jgp
time=2024-02-01T02:13:57.589Z level=INFO msg="Grafana Beyla" Version=0da32eb2 "OpenTelemetry SDK Version"=1.18.0
time=2024-02-01T02:13:57.798Z level=ERROR msg="cant start process tracer. Stopping it" component=discover.TraceAttacher error="can't mount BPF filesystem: creating directory /var/run/beyla/beyla-13430: mkdir /var/run/beyla: read-only file system"
time=2024-02-01T02:13:57.798Z level=ERROR msg="Beyla couldn't find target process" error="couldn't start Process Finder: can't instantiate discovery.ProcessFinder pipeline: instantiating terminal instance \"TraceAttacher\": can't mount BPF filesystem: creating directory /var/run/beyla/beyla-13430: mkdir /var/run/beyla: read-only file system"
As a potential solution, we can mount an emptydir in the example - happy to create a pr for the docs
I think we can improve this as you mentioned. We need a location to store the pinned eBPF maps, but we make our own file system that's eBPF based, so technically it doesn't have to be in /var/run/...
Unprivileged example (and the Helm chart privileged: false option) are already using emptyDir instead of root file system:
https://github.com/grafana/beyla/blob/2f9cf727494d3a449d6e9b79e21ac6f556c16abc/examples/k8s/unprivileged.yaml#L179-L181
Therefore they can run with readOnlyRootFilesystem: true. Maybe this can be closed?
