Closed mstemm closed 1 year ago
/priority high /kind feature
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
We should keep this on the roadmap.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
We still want this
On Fri, 7 Feb 2020 at 13:51, stale[bot] notifications@github.com wrote:
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/falcosecurity/falco/issues/628?email_source=notifications&email_token=AAA5J454OZ4REAT4ZK4JYALRBVKNDA5CNFSM4HQHXKK2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOELCZ6IQ#issuecomment-583376674, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAA5J43KRKYML7FCWHBC2PDRBVKNDANCNFSM4HQHXKKQ .
-- L.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Keeep L.
On Tue, Apr 7, 2020 at 6:29 PM stale[bot] notifications@github.com wrote:
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/falcosecurity/falco/issues/628#issuecomment-610488887, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAA5J4674Y6X34KXADEJQXDRLNIFNANCNFSM4HQHXKKQ .
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Keep pls
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. Issues labeled "cncf", "roadmap" and "help wanted" will not be automatically closed. Please refer to a maintainer to get such label added if you think this should be kept open.
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale
.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close
.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten
.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close
.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle rotten
Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen
.
Mark the issue as fresh with /remove-lifecycle rotten
.
Provide feedback via https://github.com/falcosecurity/community. /close
@poiana: Closing this issue.
Hey @leodido, any updates or roadmap plan on this? It seems all related issues are closed due to 30d inactivity. We are running our Falco pods with securityContext: privileged: true
, but we prefer to use explicit set of capabilities instead of pass privileged: true
for the container.
Version: 0.26.2
cc: @developer-guy
/reopen
Hey @Dentrax
AFAIK, we currently support that only for the "least privileged" approach, but it comes with some caveats :point_down: https://falco.org/docs/getting-started/running/#docker-least-privileged
@leogr: Reopened this issue.
Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen
.
Mark the issue as fresh with /remove-lifecycle rotten
.
Provide feedback via https://github.com/falcosecurity/community. /close
@poiana: Closing this issue.
/reopen
@jasondellaluce: Reopened this issue.
Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen
.
Mark the issue as fresh with /remove-lifecycle rotten
.
Provide feedback via https://github.com/falcosecurity/community. /close
@poiana: Closing this issue.
/reopen
/remove-lifecycle rotten
@jasondellaluce: Reopened this issue.
@loresuso This issue should be mostly addressed, shouldn't it?
Hi @leogr, I wasn't aware of this issue, but yes, I have identified the needed capabilities when using eBPF driver. I have already a PR that got merged recently into the website, and you can find it here. Take a look at it if you're interested, I have tried to explain why each capability is actually needed!
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale
.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close
.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
I still think this is something we have to improve for
/milestone 1.0.0
so
/remove-lifecycle stale
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale
.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close
.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
/remove-lifecycle stale
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale
.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close
.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
Please keep
/remove-lifecycle stale
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale
.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close
.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
/remove-lifecycle stale
cc @therealbobo
cc @loresuso
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale
.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close
.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
/remove-lifecycle stale
I suspect one of the blockers for a lot of things the team wants to do (including this) has been some older versions of different distros which run pre-5.8 kernels, because those kernels didn't have support for CAP_BPF
. According to the blog post, generally kernels >=5.8 have all the necessary support to run the modern probe, though it's possible the BTF kernel feature was backported to an older kernel.
I'd be willing to bet that most distros are nearing EOL for pre-5.8 kernels by now. I know Ubuntu 18.04 is the last release of that distro with one, and it went to EOL at the end of April.
I'll soon-ish try to create a list of what distros offer what kernel, and which distro versions have BTF support in a pre-5.8 kernel (and still offer support for such old kernels).
A blog post with a link to a short survey could help to gather input from the userbase regarding who still needs support for kernels without BTF. If >80% of the user base is on 5.10 or higher, then it would be good to consider dropping support for the older probe, however that leaves the question of what capabilities are required for the kernel module.
If the kernel module can work with the same capabilities as the modern probe, then moving this issue forward becomes easier.
Hi all, I've recently updated the docs with the necessary capabilities needed by each driver https://falco.org/docs/event-sources/kernel/. Unfortunately, the kernel module cannot run with capabilities but it requires full privileges :(
I'll soon-ish try to create a list of what distros offer what kernel, and which distro versions have BTF support in a pre-5.8 kernel (and still offer support for such old kernels).
That would be amazing!
then it would be good to consider dropping support for the older probe, however, that leaves the question of what capabilities are required for the kernel module.
Let's say the capability issue should be solved for all drivers, we updated the helm chart to support the least privileged mode also for the modern bpf
IMHO at a certain point in time we could move the old probe in a sort of maintenance mode, so no new features just fixes but not sure when this moment will come...
In the meanwhile, I think we can close this issue since its initial scope was to run Falco with capabilities and we should have this feature :)
It would be nice if we replaced the --privileged flag with a (smaller) list of capabilities. On our slack channel, Maksym Budonnyy mentioned that he was able to get falco to run properly with these capabilities:
We should double-check and if these work, update our docs and recommended k8s config to use these enumerated capabilities instead.