Deployment Falco Pods may not need to be run as root (e.g. in the K8s audit plugin usecase)

[PhilipSchmid]

Motivation

With the introduction of the new Falco plugin system and the new 2.X Helm charts, it's not always really required to run the Falco pod as root. Nevertheless, Falco still does this which could often violate security policies (PSP, OPA, etc.).

Feature

I think it would make sense to introduce a flag which allows one to configure (or simply override?) the used service user from root to something else. I think we could even by default set the user to UID 1000 whenever the syscall event source is disabled. Of course, I would still add a values.yaml flag to override this default behavior in case some plugins still have the requirement to run as root.

Alternatives

At the moment this could already be done via the following Helm values but there's probably a nicer way to do that automatically (as mentioned above, e.g. whenever the syscall event source is disabled):

podSecurityContext:
  runAsUser: 1000

Additional context

Please let me know what you think about that. If you agree, I could create a PR in the near future.

Thanks & regards, Philip

[leogr]

It looks like a good idea, but it may have some side effects (which I don't recall by heart).

@falcosecurity/deploy-kubernetes-maintainers and @falcosecurity/charts-maintainers wdyt? also cc @alacuku

[zuc]

I like the idea and I can't remember of any other use case (apart from syscalls) where root is required, so +1 from me

[maxgio92]

Looks a good idea to me too. Moreover, what about enabling also to select specific capabilities, still avoiding uid 0?

[alacuku]

We can write a helper that is evaluated when the syscall event source is disabled. Users can still overwrite the default behavior by setting the podSecurityContext.

+1 from me!

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[PhilipSchmid]

/remove-lifecycle stale

Will implement this in the next days. Sorry for the delay.

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[poiana]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

[leogr]

/remove-lifecycle rotten

[leogr]

/help

[poiana]

@leogr: This request has been marked as needing help from a contributor.

Please ensure the request meets the requirements listed here.

If this request no longer meets these requirements, the label can be removed by commenting with the /remove-help command.

In response to [this](https://github.com/falcosecurity/charts/issues/377): >/help Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.

[PhilipSchmid]

Sorry I'm not using Falco anymore and I therefore won't implement this any time soon. If anybody wants to implement it, please feel free to take it over 😉 .

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[leogr]

/remove-lifecycle stale /assign @alacuku

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[leogr]

/remove-lifecycle stale

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[Andreagit97]

/remove-lifecycle stale

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[leogr]

/remove-lifecycle stale

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[leogr]

/remove-lifecycle stale