Replace --privileged flag with explicit set of capabilities

[mstemm]

It would be nice if we replaced the --privileged flag with a (smaller) list of capabilities. On our slack channel, Maksym Budonnyy mentioned that he was able to get falco to run properly with these capabilities:

Hi All,
After series of tries, I was able to run Falco in the non-privileged container.
Limitations: I tried only eBPF Falco
set of capabilities:
CAP_SYS_ADMIN - required for the bpf syscall
CAP_SYS_RESOURCE - required to change rlimit
CAP_SYS_NICE
CAP_SYS_PTRACE - to provide  correct access to the /proc for scap_proc_scan_proc_dir??
CAP_FOWNER
CAP_SYS_PACCT

We should double-check and if these work, update our docs and recommended k8s config to use these enumerated capabilities instead.

[leodido]

/priority high /kind feature

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[mstemm]

We should keep this on the roadmap.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[leodido]

We still want this

On Fri, 7 Feb 2020 at 13:51, stale[bot] notifications@github.com wrote:

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/falcosecurity/falco/issues/628?email_source=notifications&email_token=AAA5J454OZ4REAT4ZK4JYALRBVKNDA5CNFSM4HQHXKK2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOELCZ6IQ#issuecomment-583376674, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAA5J43KRKYML7FCWHBC2PDRBVKNDANCNFSM4HQHXKKQ .

-- L.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[leodido]

Keeep L.

On Tue, Apr 7, 2020 at 6:29 PM stale[bot] notifications@github.com wrote:

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/falcosecurity/falco/issues/628#issuecomment-610488887, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAA5J4674Y6X34KXADEJQXDRLNIFNANCNFSM4HQHXKKQ .

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[leogr]

Keep pls

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. Issues labeled "cncf", "roadmap" and "help wanted" will not be automatically closed. Please refer to a maintainer to get such label added if you think this should be kept open.

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[poiana]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

[poiana]

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community. /close

[poiana]

@poiana: Closing this issue.

In response to [this](https://github.com/falcosecurity/falco/issues/628#issuecomment-769141092): >Rotten issues close after 30d of inactivity. > >Reopen the issue with `/reopen`. > >Mark the issue as fresh with `/remove-lifecycle rotten`. > >Provide feedback via https://github.com/falcosecurity/community. >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.

[Dentrax]

Hey @leodido, any updates or roadmap plan on this? It seems all related issues are closed due to 30d inactivity. We are running our Falco pods with securityContext: privileged: true, but we prefer to use explicit set of capabilities instead of pass privileged: true for the container.

Version: 0.26.2

cc: @developer-guy

[leogr]

/reopen

Hey @Dentrax

AFAIK, we currently support that only for the "least privileged" approach, but it comes with some caveats :point_down: https://falco.org/docs/getting-started/running/#docker-least-privileged

[poiana]

@leogr: Reopened this issue.

In response to [this](https://github.com/falcosecurity/falco/issues/628#issuecomment-982853264): >/reopen > >Hey @Dentrax > >AFAIK, we currently support that only for the "least privileged" approach, but it comes with some caveats :point_down: >https://falco.org/docs/getting-started/running/#docker-least-privileged Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.

[poiana]

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community. /close

[poiana]

@poiana: Closing this issue.

In response to [this](https://github.com/falcosecurity/falco/issues/628#issuecomment-1003186700): >Rotten issues close after 30d of inactivity. > >Reopen the issue with `/reopen`. > >Mark the issue as fresh with `/remove-lifecycle rotten`. > >Provide feedback via https://github.com/falcosecurity/community. >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.

[jasondellaluce]

/reopen

[poiana]

@jasondellaluce: Reopened this issue.

In response to [this](https://github.com/falcosecurity/falco/issues/628#issuecomment-1003977316): >/reopen Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.

[poiana]

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community. /close

[poiana]

@poiana: Closing this issue.

In response to [this](https://github.com/falcosecurity/falco/issues/628#issuecomment-1028076807): >Rotten issues close after 30d of inactivity. > >Reopen the issue with `/reopen`. > >Mark the issue as fresh with `/remove-lifecycle rotten`. > >Provide feedback via https://github.com/falcosecurity/community. >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.

[jasondellaluce]

/reopen

/remove-lifecycle rotten

[poiana]

@jasondellaluce: Reopened this issue.

In response to [this](https://github.com/falcosecurity/falco/issues/628#issuecomment-1028179446): >/reopen > >/remove-lifecycle rotten Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.

[leogr]

@loresuso This issue should be mostly addressed, shouldn't it?

[loresuso]

Hi @leogr, I wasn't aware of this issue, but yes, I have identified the needed capabilities when using eBPF driver. I have already a PR that got merged recently into the website, and you can find it here. Take a look at it if you're interested, I have tried to explain why each capability is actually needed!

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[leogr]

I still think this is something we have to improve for

/milestone 1.0.0

so

/remove-lifecycle stale

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[jasondellaluce]

/remove-lifecycle stale

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[micatlkw]

Please keep

[jasondellaluce]

/remove-lifecycle stale

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[leogr]

/remove-lifecycle stale

cc @therealbobo

[leogr]

cc @loresuso

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[therealbobo]

/remove-lifecycle stale

[Speeddymon]

I suspect one of the blockers for a lot of things the team wants to do (including this) has been some older versions of different distros which run pre-5.8 kernels, because those kernels didn't have support for CAP_BPF. According to the blog post, generally kernels >=5.8 have all the necessary support to run the modern probe, though it's possible the BTF kernel feature was backported to an older kernel.

I'd be willing to bet that most distros are nearing EOL for pre-5.8 kernels by now. I know Ubuntu 18.04 is the last release of that distro with one, and it went to EOL at the end of April.

I'll soon-ish try to create a list of what distros offer what kernel, and which distro versions have BTF support in a pre-5.8 kernel (and still offer support for such old kernels).

A blog post with a link to a short survey could help to gather input from the userbase regarding who still needs support for kernels without BTF. If >80% of the user base is on 5.10 or higher, then it would be good to consider dropping support for the older probe, however that leaves the question of what capabilities are required for the kernel module.

If the kernel module can work with the same capabilities as the modern probe, then moving this issue forward becomes easier.

[Andreagit97]

Hi all, I've recently updated the docs with the necessary capabilities needed by each driver https://falco.org/docs/event-sources/kernel/. Unfortunately, the kernel module cannot run with capabilities but it requires full privileges :(

I'll soon-ish try to create a list of what distros offer what kernel, and which distro versions have BTF support in a pre-5.8 kernel (and still offer support for such old kernels).

That would be amazing!

then it would be good to consider dropping support for the older probe, however, that leaves the question of what capabilities are required for the kernel module.

Let's say the capability issue should be solved for all drivers, we updated the helm chart to support the least privileged mode also for the modern bpf

IMHO at a certain point in time we could move the old probe in a sort of maintenance mode, so no new features just fixes but not sure when this moment will come...

In the meanwhile, I think we can close this issue since its initial scope was to run Falco with capabilities and we should have this feature :)