Skip to content

Commit

Permalink
update unprivileged documentation to require NET_RAW
Browse files Browse the repository at this point in the history
  • Loading branch information
@dashpole
dashpole committed Apr 9, 2024
1 parent 475ce3a commit 8474759
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions docs/sources/setup/kubernetes.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -250,6 +250,7 @@ To run Beyla unprivileged, you need to replace the `privileged:true` setting wit
- `CAP_SYS_ADMIN` is required to install most of the eBPF probes, because Beyla tracks system calls
- `CAP_SYS_PTRACE` is required so that Beyla is able to look into the processes namespaces and inspect the executables. Beyla doesn't use `ptrace`, but for some of the operations it does require this capability
- `CAP_SYS_RESOURCE` is required only on kernels **< 5.11** so that Beyla can increase the amount of locked memory available
- `CAP_NET_RAW` is required for using installing socket filters, which are used as a fallback for kretprobes for HTTP requests

Check failure on line 253 in docs/sources/setup/kubernetes.md

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[Grafana.Spelling] Did you really mean 'kretprobes'? For product names, the Grafana dictionary might not know of it yet. You need to add an entry to https://github.com/grafana/writers-toolkit/tree/main/vale/dictionaries/en_US-grafana.wordlist to add a product name to the dictionary. Alternatively, raise an [issue](https://github.com/grafana/writers-toolkit/issues/new?title=Grafana.Spelling%3A%3CWORD%!E(string= )) and a maintainer will add it for you. For UI elements, use [bold formatting](https://grafana.com/docs/writers-toolkit/write/style-guide/style-conventions/#bold). The spell checker doesn't check words with bold formatting. For paths; configuration; user input; code; class, method, and variable names; statuscodes; and console output, use [code formatting](https://grafana.com/docs/writers-toolkit/write/style-guide/style-conventions/#bold). The spell checker doesn't check words with code formatting. 

If the rule is incorrect or needs improving, [report an issue](https://github.com/grafana/writers-toolkit/issues/new?title=Grafana.Spelling%20%3A%20%3CISSUE%3E).

If you have reason to diverge from the style guidance, to skip a rule, refer to [Skip rules](https://grafana.com/docs/writers-toolkit/review/lint-prose/#skip-rules).

Raw Output:
{"message": "[Grafana.Spelling] Did you really mean 'kretprobes'? For product names, the Grafana dictionary might not know of it yet. You need to add an entry to https://github.com/grafana/writers-toolkit/tree/main/vale/dictionaries/en_US-grafana.wordlist to add a product name to the dictionary. Alternatively, raise an [issue](https://github.com/grafana/writers-toolkit/issues/new?title=Grafana.Spelling%3A%3CWORD%!E(string= )) and a maintainer will add it for you. For UI elements, use [bold formatting](https://grafana.com/docs/writers-toolkit/write/style-guide/style-conventions/#bold). The spell checker doesn't check words with bold formatting. For paths; configuration; user input; code; class, method, and variable names; statuscodes; and console output, use [code formatting](https://grafana.com/docs/writers-toolkit/write/style-guide/style-conventions/#bold). The spell checker doesn't check words with code formatting. \n\nIf the rule is incorrect or needs improving, [report an issue](https://github.com/grafana/writers-toolkit/issues/new?title=Grafana.Spelling%20%3A%20%3CISSUE%3E).\n\nIf you have reason to diverge from the style guidance, to skip a rule, refer to [Skip rules](https://grafana.com/docs/writers-toolkit/review/lint-prose/#skip-rules).", "location": {"path": "docs/sources/setup/kubernetes.md", "range": {"start": {"line": 253, "column": 99}}}, "severity": "ERROR"}

In addition to these Linux capabilities, many Kubernetes versions include [AppArmour](https://kubernetes.io/docs/tutorials/security/apparmor/), which tough policies adds additional restrictions to unprivileged containers. By [default](https://github.com/moby/moby/blob/master/profiles/apparmor/template.go), the AppArmour policy restricts the use of `mount` and the access to `/sys/fs/` directories. Beyla uses the BPF Linux file system to store pinned BPF maps, for communication among the different BPF programs. For this reason, Beyla either needs to `mount` a BPF file system, or write to `/sys/fs/bpf`, which are both restricted.

Expand Down Expand Up @@ -305,6 +306,7 @@ spec:
add:
- SYS_ADMIN # <-- Important. Required for most eBPF probes to function correctly.
- SYS_PTRACE # <-- Important. Allows Beyla to access the container namespaces and inspect executables.
- NET_RAW # <-- Important. Allows Beyla to use socket filters for http requests.
#- SYS_RESOURCE # <-- pre 5.11 only. Allows Beyla to increase the amount of locked memory.
volumeMounts:
- name: var-run-beyla
Expand Down

0 comments on commit 8474759

Please sign in to comment.