Note that kernel module cannot be loaded when unprivileged

falcosecurity · Jan 13, 2022 · 5b289ad · 5b289ad
1 parent 784704b
commit 5b289ad
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 1 deletion.
diff --git a/falco/README.md b/falco/README.md
@@ -90,7 +90,7 @@ The following table lists the configurable parameters of the Falco chart and the
 | `ebpf.enabled`                             | Enable eBPF support for Falco instead of `falco-probe` kernel module                                                                                                                                       | `false`                                                                                                                 |
 | `ebpf.path`                                | Path of the eBPF probe                                                                                                                                                                                     | ` `                                                                                                                     |
 | `ebpf.settings.hostNetwork`                | Needed to enable eBPF JIT at runtime for performance reasons                                                                                                                                               | `true`                                                                                                                  |
-| `leastPrivileged.enabled`                  | Use capabilities instead of running a privileged container                                                                                                                                                 | `false`                                                                                                                  |
+| `leastPrivileged.enabled`                  | Use capabilities instead of running a privileged container. The kernel module driver can not be loaded if enabled.                                                                                         | `false`                                                                                                                 |
 | `auditLog.enabled`                         | Enable K8s audit log support for Falco                                                                                                                                                                     | `false`                                                                                                                 |
 | `auditLog.dynamicBackend.enabled`          | Deploy the Audit Sink where Falco listens for K8s audit log events                                                                                                                                         | `false`                                                                                                                 |
 | `auditLog.dynamicBackend.url`              | Define if Audit Sink client config should point to a fixed [url](https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#url) (useful for development) instead of the default webserver service. | ``                                                                                                                      |

diff --git a/falco/values.yaml b/falco/values.yaml
@@ -118,6 +118,8 @@ ebpf:
 leastPrivileged:
   # Constrain Falco with capabilities instead of running a privileged container.
   # When used in conjunction with the eBPF driver, a kernel >= 5.8 is required.
+  # Loading the kernel module driver does NOT work with leastPrivileged.enabled.
+  # Ensure the module is already loaded, or the eBPF driver is enabled.
   enabled: false
 
 auditLog: