Skip to content

Commit

Permalink
Update docs
Browse files Browse the repository at this point in the history
  • Loading branch information
@rafaelroquetto
rafaelroquetto committed Oct 11, 2024
1 parent 4cf890f commit e504d2f
Show file tree
Hide file tree
Showing 3 changed files with 0 additions and 147 deletions.
48 changes: 0 additions & 48 deletions charts/beyla/templates/daemon-set.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,9 +25,6 @@ spec:
{{- with .Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if not (.Values.privileged) }}
container.apparmor.security.beta.kubernetes.io/beyla: "unconfined"
{{- end }}
labels:
{{- include "beyla.labels" . | nindent 8 }}
app.kubernetes.io/component: workload
Expand All @@ -45,31 +42,6 @@ spec:
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName }}
{{- end }}
{{- if not (.Values.privileged) }}
initContainers:
- name: mount-bpf-fs
image: {{ .Values.global.image.registry | default .Values.image.registry }}/{{ .Values.image.repository }}{{ include "beyla.imageId" . }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
args:
- 'mkdir -p /sys/fs/bpf/$BEYLA_BPF_FS_PATH && mount -t bpf bpf /sys/fs/bpf/$BEYLA_BPF_FS_PATH'
command:
- /bin/bash
- -c
- --
securityContext:
privileged: true
volumeMounts:
- name: bpffs
mountPath: /sys/fs/bpf
mountPropagation: Bidirectional
env:
- name: KUBE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: BEYLA_BPF_FS_PATH
value: beyla-$(KUBE_NAMESPACE)
{{- end }}
containers:
- name: beyla
image: {{ .Values.global.image.registry | default .Values.image.registry }}/{{ .Values.image.repository }}{{ include "beyla.imageId" . }}
Expand Down Expand Up @@ -114,16 +86,6 @@ spec:
env:
- name: BEYLA_CONFIG_PATH
value: "/etc/beyla/config/beyla-config.yml"
{{- if not (.Values.privileged) }}
- name: KUBE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: BEYLA_BPF_FS_PATH
value: beyla-$(KUBE_NAMESPACE)
- name: BEYLA_BPF_FS_BASE_DIR
value: /sys/fs/bpf
{{- end }}
{{- range $key, $value := .Values.env }}
- name: {{ $key }}
value: "{{ $value }}"
Expand All @@ -136,11 +98,6 @@ spec:
volumeMounts:
- mountPath: /etc/beyla/config
name: beyla-config
{{- if not (.Values.privileged) }}
- name: bpffs
mountPath: /sys/fs/bpf
mountPropagation: HostToContainer
{{- end }}
{{- if or .Values.global.image.pullSecrets .Values.image.pullSecrets }}
imagePullSecrets:
{{- if .Values.global.image.pullSecrets }}
Expand All @@ -165,8 +122,3 @@ spec:
- name: beyla-config
configMap:
name: {{ default (include "beyla.fullname" .) .Values.config.name }}
{{- if not (.Values.privileged) }}
- name: bpffs
hostPath:
path: /sys/fs/bpf
{{- end }}
51 changes: 0 additions & 51 deletions docs/sources/setup/kubernetes.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -259,15 +259,6 @@ To run Beyla unprivileged, you need to run a `privileged` init container which p
- `CAP_PERFMON` is required to load BPF programs, i.e. be able to perform `perf_event_open()`.
- `CAP_SYS_RESOURCE` is required only on kernels **< 5.11** so that Beyla can increase the amount of locked memory available.

In addition to these Linux capabilities, many Kubernetes versions include [AppArmour](https://kubernetes.io/docs/tutorials/security/apparmor/), which tough policies adds additional restrictions to unprivileged containers. By [default](https://github.com/moby/moby/blob/master/profiles/apparmor/template.go), the AppArmour policy restricts the use of `mount` and the access to `/sys/fs/` directories. Beyla uses the BPF Linux file system to store pinned BPF maps, for communication among the different BPF programs. For this reason, Beyla either needs to `mount` a BPF file system, or write to `/sys/fs/bpf`, which are both restricted.

Because of the AppArmour restriction, to run Beyla as unprivileged container, you need to either:

- Set `container.apparmor.security.beta.kubernetes.io/beyla: "unconfined"` in your Kubernetes deployment files.
- Set a modified AppArmour policy which allows Beyla to perform `mount`.

**Note** Since the `beyla` container does not have the privileges required to mount or un-mount the BPF filesystem, this sample leaves the BPF filesystem mounted on the host, even after the sample is deleted. This samples uses a unique path for each namespace to ensure re-use the same mount if Beyla is re-deployed, but to avoid collisions if multiple instances of Beyla is run in different namespaces.

**Note** Loading BPF programs requires that Beyla is able to read the Linux performance events, or at least be able to execute the Linux Kernel API `perf_event_open()`.
This permission is granted by `CAP_PERFMON` or more liberally through `CAP_SYS_ADMIN`. Since both `CAP_PERFMON` and `CAP_SYS_ADMIN` grant Beyla the permission to read performance
events, you should use `CAP_PERFMON` because it grants lesser permissions. However, at system level, the access to the performance
Expand Down Expand Up @@ -297,40 +288,9 @@ spec:
metadata:
labels:
k8s-app: beyla
annotations:
# We need to set beyla container as unconfined so it is able to write
# the BPF file system.
# Instead of 'unconfined', you can define a more refined policy which allows Beyla to use 'mount'
container.apparmor.security.beta.kubernetes.io/beyla: "unconfined" # <-- Important
spec:
serviceAccount: beyla
hostPID: true # <-- Important. Required in Daemonset mode so Beyla can discover all monitored processes
initContainers:
- name: mount-bpf-fs
image: grafana/beyla:latest
args:
# Create the directory and mount the BPF filesystem.
- 'mkdir -p /sys/fs/bpf/$BEYLA_BPF_FS_PATH && mount -t bpf bpf /sys/fs/bpf/$BEYLA_BPF_FS_PATH'
command:
- /bin/bash
- -c
- --
securityContext:
# The init container is privileged so that it can use bidirectional mount propagation
privileged: true
volumeMounts:
- name: bpffs
mountPath: /sys/fs/bpf
# Make sure the mount is propagated back to the host so it can be used by the Beyla container
mountPropagation: Bidirectional
env:
- name: KUBE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
# Use a unique path for each namespace to prevent collisions with other namespaces.
- name: BEYLA_BPF_FS_PATH
value: beyla-$(KUBE_NAMESPACE)
containers:
- name: beyla
terminationMessagePolicy: FallbackToLogsOnError
Expand All @@ -344,11 +304,6 @@ spec:
valueFrom:
fieldRef:
fieldPath: metadata.namespace
# Use a unique path for each namespace to prevent collisions with other namespaces.
- name: BEYLA_BPF_FS_PATH
value: beyla-$(KUBE_NAMESPACE)
- name: BEYLA_BPF_FS_BASE_DIR
value: /sys/fs/bpf
...
securityContext:
runAsUser: 0
Expand All @@ -370,9 +325,6 @@ spec:
mountPath: /var/run/beyla
- name: cgroup
mountPath: /sys/fs/cgroup
- name: bpffs
mountPath: /sys/fs/bpf
mountPropagation: HostToContainer # <-- Important. Allows Beyla to see the BPF mount from the init container
tolerations:
- effect: NoSchedule
operator: Exists
Expand All @@ -384,9 +336,6 @@ spec:
- name: cgroup
hostPath:
path: /sys/fs/cgroup
- name: bpffs
hostPath:
path: /sys/fs/bpf
---
apiVersion: apps/v1
kind: Deployment
Expand Down
48 changes: 0 additions & 48 deletions examples/k8s/unprivileged.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,46 +82,9 @@ spec:
metadata:
labels:
k8s-app: beyla
annotations:
# We need to set beyla container as unconfined so it is able to write
# the BPF file system.
# Otherwise, we can have error like:
# "failed to create server failed to create or mount folder for pinning bpf maps: can't mount BPF filesystem: permission denied""
#
# Default rules can be found here: https://github.com/moby/moby/blob/master/profiles/apparmor/template.go
# Both 'mount' and access to /sys/fs/bpf are denied by default.
#
# Instead of 'unconfined', you can define a more refined policy which allows Beyla to use 'mount'
container.apparmor.security.beta.kubernetes.io/beyla: "unconfined" # <-- Important
spec:
serviceAccount: beyla
hostPID: true # <-- Important. Required in Daemonset mode so Beyla can discover all monitored processes
initContainers:
- name: mount-bpf-fs
image: grafana/beyla:latest
args:
# Create the directory and mount the BPF filesystem.
- 'mkdir -p /sys/fs/bpf/$BEYLA_BPF_FS_PATH && mount -t bpf bpf /sys/fs/bpf/$BEYLA_BPF_FS_PATH'
command:
- /bin/bash
- -c
- --
securityContext:
# The init container is privileged so that it can use bidirectional mount propagation
privileged: true
volumeMounts:
- name: bpffs
mountPath: /sys/fs/bpf
# Make sure the mount is propagated back to the host so it can be used by the Beyla container
mountPropagation: Bidirectional
env:
- name: KUBE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
# Use a unique path for each namespace to prevent collisions with other namespaces.
- name: BEYLA_BPF_FS_PATH
value: beyla-$(KUBE_NAMESPACE)
containers:
- name: beyla
terminationMessagePolicy: FallbackToLogsOnError
Expand All @@ -143,11 +106,6 @@ spec:
valueFrom:
fieldRef:
fieldPath: metadata.namespace
# Use a unique path for each namespace to prevent collisions with other namespaces.
- name: BEYLA_BPF_FS_PATH
value: beyla-$(KUBE_NAMESPACE)
- name: BEYLA_BPF_FS_BASE_DIR
value: /sys/fs/bpf
securityContext:
runAsUser: 0
readOnlyRootFilesystem: true
Expand All @@ -168,9 +126,6 @@ spec:
mountPath: /var/run/beyla
- name: cgroup
mountPath: /sys/fs/cgroup
- name: bpffs
mountPath: /sys/fs/bpf
mountPropagation: HostToContainer # <-- Important. Allows Beyla to see the BPF mount from the init container
tolerations:
- effect: NoSchedule
operator: Exists
Expand All @@ -182,9 +137,6 @@ spec:
- name: cgroup
hostPath:
path: /sys/fs/cgroup
- name: bpffs
hostPath:
path: /sys/fs/bpf
---
apiVersion: apps/v1
kind: Deployment
Expand Down

0 comments on commit e504d2f

Please sign in to comment.