The capability in the JobConfig for perf sampling can be lowered from SYS_ADMIN to just PERFMON and SYSLOG
kernels prior to v5.9 may require SYS_PTRACE
I modified the line mentioned, built and tested the plugin with java and async-profiler and the profiler returns the output. this is some of the output of --dry-run
for example in https://github.com/josepdcs/kubectl-prof/blob/main/internal/cli/kubernetes/job/jvm.go#L76
The capability in the JobConfig for perf sampling can be lowered from
SYS_ADMIN
to justPERFMON
andSYSLOG
kernels prior to v5.9 may requireSYS_PTRACE
https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html#perf-events-access-control
The permissions required for perf are sysctl -w kernel.kptr_restrict=0 sysctl -w kernel.perf_event_paranoid=1
or capabilities
PERFMON
andSYSLOG
which is confirmed in the kernel code at the following locations https://elixir.bootlin.com/linux/v5.15.148/source/tools/perf/util/util.c#L290 https://elixir.bootlin.com/linux/v5.15.148/source/kernel/kallsyms.c#L794I modified the line mentioned, built and tested the plugin with java and async-profiler and the profiler returns the output. this is some of the output of
--dry-run