Is there a way to run as unprivileged?
First of all, thanks for writing the plugin. Profiling on kubernetes is difficult and I'm looking forward to seeing if this plugin can ease the pain.
Currently, our clusters have a default podsecurity policy which disallow privileged containers. Resulting in something like this, when I try to run the plugin:
2021/01/18 13:53:47 Job.batch "kubectl-flame-cx36dx4d-e2xe-4987-879a-d64776cb5543" is invalid: spec.template.spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
I see this plugin needs to run the jobs on Kubernetes currently as privileged: https://github.com/VerizonMedia/kubectl-flame/blob/cb7290125d6d471bfb159be5e3ff3bf7178bef94/cli/cmd/kubernetes/job/python.go#L72 (same on jvm and golang)
Is there a way to reduce the number of privileges it needs to run? E.g. by setting the right capabilities?
Hi @mrueg I'm currently working on switching from privileged pod to specific capabilities. Hope to have it ready in a few days. Thanks
@edeNFed, is it also possible to enhance the cli to support passing / specifying a custom securityContext (required in our k8s cluster pod security policy)? Say, something like below:
apiVersion: batch/v1
kind: Job
spec:
template:
metadata:
name: kubectl-flame-226b6efa-60d7-4256-9317-8aca48862125
namespace: my-app
spec:
securityContext: # <--- Required
fsGroup: 2000
runAsNonRoot: true
runAsUser: 1000
...
Thanks!
@edeNFed Any plans to make it unprivileged? I'm running into the same issue as well when trying to use it in my cluster. Its been over a year since you mentioned you were making a change to add this feature.