Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deployment Falco Pods may not need to be run as root (e.g. in the K8s audit plugin usecase) #377

Open
PhilipSchmid opened this issue Jul 26, 2022 · 22 comments
Open

Deployment Falco Pods may not need to be run as root (e.g. in the K8s audit plugin usecase) #377

PhilipSchmid opened this issue Jul 26, 2022 · 22 comments
Assignees
@alacuku
Labels
help wanted Extra attention is needed kind/feature New feature or request

Comments

@PhilipSchmid
Copy link
Contributor

Motivation

With the introduction of the new Falco plugin system and the new 2.X Helm charts, it's not always really required to run the Falco pod as root. Nevertheless, Falco still does this which could often violate security policies (PSP, OPA, etc.).

Feature

I think it would make sense to introduce a flag which allows one to configure (or simply override?) the used service user from root to something else.
I think we could even by default set the user to UID 1000 whenever the syscall event source is disabled. Of course, I would still add a values.yaml flag to override this default behavior in case some plugins still have the requirement to run as root.

Alternatives

At the moment this could already be done via the following Helm values but there's probably a nicer way to do that automatically (as mentioned above, e.g. whenever the syscall event source is disabled):

podSecurityContext:
  runAsUser: 1000

Additional context

Please let me know what you think about that. If you agree, I could create a PR in the near future.

Thanks & regards,
Philip
@PhilipSchmid PhilipSchmid added the kind/feature New feature or request label Jul 26, 2022
@leogr
Copy link
Member

leogr commented Aug 23, 2022

It looks like a good idea, but it may have some side effects (which I don't recall by heart).

@falcosecurity/deploy-kubernetes-maintainers and @falcosecurity/charts-maintainers wdyt?
also cc @alacuku

@zuc
Copy link
Member

zuc commented Aug 24, 2022

I like the idea and I can't remember of any other use case (apart from syscalls) where root is required, so +1 from me

@maxgio92
Copy link
Member

Looks a good idea to me too.
Moreover, what about enabling also to select specific capabilities, still avoiding uid 0?

@alacuku
Copy link
Member

alacuku commented Aug 30, 2022
edited
Loading

We can write a helper that is evaluated when the syscall event source is disabled. Users can still overwrite the default behavior by setting the podSecurityContext.

+1 from me!

@poiana
Copy link
Contributor

poiana commented Nov 28, 2022

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

@PhilipSchmid
Copy link
Contributor Author

/remove-lifecycle stale

Will implement this in the next days. Sorry for the delay.

@PhilipSchmid PhilipSchmid mentioned this issue Dec 16, 2022
Closed
3 tasks
@poiana
Copy link
Contributor

poiana commented Mar 15, 2023

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

@poiana
Copy link
Contributor

poiana commented Apr 15, 2023

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

@leogr
Copy link
Member

leogr commented Apr 27, 2023

/remove-lifecycle rotten

@leogr
Copy link
Member

leogr commented Apr 27, 2023

/help

@poiana
Copy link
Contributor

poiana commented Apr 27, 2023

@leogr:
This request has been marked as needing help from a contributor.

Please ensure the request meets the requirements listed here.

If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-help command.

In response to this:

/help

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@poiana poiana added the help wanted Extra attention is needed label Apr 27, 2023
@PhilipSchmid
Copy link
Contributor Author

Sorry I'm not using Falco anymore and I therefore won't implement this any time soon. If anybody wants to implement it, please feel free to take it over 😉 .

@poiana
Copy link
Contributor

poiana commented Sep 19, 2023

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

@leogr
Copy link
Member

leogr commented Sep 21, 2023

/remove-lifecycle stale
/assign @alacuku

@poiana
Copy link
Contributor

poiana commented Dec 20, 2023

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

@leogr
Copy link
Member

leogr commented Dec 20, 2023

/remove-lifecycle stale

@poiana
Copy link
Contributor

poiana commented Mar 19, 2024

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

@Andreagit97
Copy link
Member

/remove-lifecycle stale

@poiana
Copy link
Contributor

poiana commented Jun 18, 2024

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

@leogr
Copy link
Member

leogr commented Jun 20, 2024

/remove-lifecycle stale

@poiana
Copy link
Contributor

poiana commented Sep 18, 2024

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

@leogr
Copy link
Member

leogr commented Sep 18, 2024

/remove-lifecycle stale

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@alacuku alacuku

Labels
help wanted Extra attention is needed kind/feature New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Run Falco without syscall driver as unprivileged
7 participants
@leogr @PhilipSchmid @maxgio92 @zuc @alacuku @poiana @Andreagit97