kubectl-prof icon indicating copy to clipboard operation
kubectl-prof copied to clipboard
verified publisher icon josepdcs

capabilities in JobConfig can be reduced from SYS_ADMIN

Open jlynch1 opened this issue 1 year ago • 1 comments

for example in https://github.com/josepdcs/kubectl-prof/blob/main/internal/cli/kubernetes/job/jvm.go#L76

The capability in the JobConfig for perf sampling can be lowered from SYS_ADMIN to just PERFMON and SYSLOG kernels prior to v5.9 may require SYS_PTRACE

https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html#perf-events-access-control

The permissions required for perf are sysctl -w kernel.kptr_restrict=0 sysctl -w kernel.perf_event_paranoid=1

or capabilities PERFMON and SYSLOG which is confirmed in the kernel code at the following locations https://elixir.bootlin.com/linux/v5.15.148/source/tools/perf/util/util.c#L290 https://elixir.bootlin.com/linux/v5.15.148/source/kernel/kallsyms.c#L794

I modified the line mentioned, built and tested the plugin with java and async-profiler and the profiler returns the output. this is some of the output of --dry-run

      name: kubectl-prof
        resources:
          limits:
            cpu: "1"
        securityContext:
          capabilities:
            add:
            - PERFMON
            - SYSLOG
          privileged: true

jlynch1 avatar Feb 01 '24 18:02 jlynch1

Thank you for your suggestion, @jlynch1. I'll take note of it and give it a try.

josepdcs avatar Feb 01 '24 19:02 josepdcs

Released in 1.5.0

josepdcs avatar Dec 23 '24 10:12 josepdcs