search

josepdcs / kubectl-prof

kubectl-prof is a kubectl plugin to profile applications on kubernetes with minimum overhead
Apache License 2.0
36 stars 3 forks source link

capabilities in JobConfig can be reduced from SYS_ADMIN #25

Open jlynch1 opened 8 months ago

jlynch1 commented 8 months ago

for example in https://github.com/josepdcs/kubectl-prof/blob/main/internal/cli/kubernetes/job/jvm.go#L76

The capability in the JobConfig for perf sampling can be lowered from SYS_ADMIN to just PERFMON and SYSLOG kernels prior to v5.9 may require SYS_PTRACE

https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html#perf-events-access-control

The permissions required for perf are sysctl -w kernel.kptr_restrict=0 sysctl -w kernel.perf_event_paranoid=1

or capabilities PERFMON and SYSLOG which is confirmed in the kernel code at the following locations https://elixir.bootlin.com/linux/v5.15.148/source/tools/perf/util/util.c#L290 https://elixir.bootlin.com/linux/v5.15.148/source/kernel/kallsyms.c#L794

I modified the line mentioned, built and tested the plugin with java and async-profiler and the profiler returns the output. this is some of the output of --dry-run

      name: kubectl-prof
        resources:
          limits:
            cpu: "1"
        securityContext:
          capabilities:
            add:
            - PERFMON
            - SYSLOG
          privileged: true
josepdcs commented 8 months ago

Thank you for your suggestion, @jlynch1. I'll take note of it and give it a try.