Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add configuration value to run unprivileged with capabilities #305

Merged
merged 4 commits into from
Feb 22, 2022
Merged

Add configuration value to run unprivileged with capabilities #305

merged 4 commits into from
Feb 22, 2022

Conversation

bauerd
Copy link

@bauerd bauerd commented Jan 12, 2022

Signed-off-by: Dominic Bauer dbauer@gitlab.com

What type of PR is this?

/kind feature

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area falco-chart

What this PR does / why we need it:

This PR introduces a leastPrivilege.enabled value that enables running Falco least privileged.

If enabled, the CAP_{BPF,SYS_RESOURCE,PERFMON} capabilities are assigned, and the containers run unprivileged.

Which issue(s) this PR fixes:

https://gitlab.com/gitlab-org/cluster-integration/cluster-applications/-/issues/51

Special notes for your reviewer:

The changelog does not have an entry for 1.16.3, yet Chart.yaml is at 1.16.3 currently. I bumped to 1.16.4 and added a changelog entry.

Checklist

  • Chart Version bumped
  • Variables are documented in the README.md
  • CHANGELOG.md updated

@poiana
Copy link
Contributor

poiana commented Jan 12, 2022

Welcome @bauerd! It looks like this is your first PR to falcosecurity/charts 🎉

@poiana poiana added the size/L label Jan 12, 2022
leogr
leogr reviewed Jan 13, 2022
View reviewed changes
Copy link
Member

@leogr leogr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @bauerd

Thank you so much for this PR. We missed this feature for a long time 🙏

I haven't tried it yet, but after a quick look at your implementation, it SGTM. I just have a couple of questions.

Is the leastPrivileged option intended to be used in conjunction with the init container approach?
Or do we assume the user installed the driver by other means?
Basically, how can the driver be installed without privileged: true?
(it would be great to document that in the README)

I see you did not include SYS_PTRACE. It is included in our documentation, but I can't recall why it is needed. Could you explain why it's not needed in this case?

Same question for hostPid. I guess it is not needed since Falco can still access the host /proc?

@bauerd
Copy link
Author

bauerd commented Jan 13, 2022
edited
Loading

Hey @leogr, thanks for having a look, great questions.

Is the leastPrivileged option intended to be used in conjunction with the init container approach?

It depends on the driver. It won't work to load the kernel module unprivileged. But attaching the eBPF probe works with CAP_BPF and CAP_PERFMON.

So yes, good point, I should definitely note that leastPrivilege.enabled conflicts with loading the kernel module driver.

For the record, installting the chart from the master branch, the falco-driver-loader init script which should load the kernel module fails me on GKE on both COS 93 (5.10.68+) and COS 89 (5.4.144+). It attempts to wget a prebuilt kernel module that 404s (see logs). Unrelated to this PR though.

I see you did not include SYS_PTRACE. It is included in our documentation, but I can't recall why it is needed. Could you explain why it's not needed in this case?

My understanding is that only the pdig userspace driver uses ptrace(2). However pdig does not appear to be supported by this chart. Hence no need for CAP_SYS_PTRACE I think?

@leogr
Copy link
Member

leogr commented Jan 18, 2022

My understanding is that only the pdig userspace driver uses ptrace(2). However pdig does not appear to be supported by this chart. Hence no need for CAP_SYS_PTRACE I think?

Hey @bauerd

You're probably right. We have to find the time to confirm that before merging this PR.

PS
These days we are a bit busy because of the upcoming release. Sorry for the wait in advance.

@bauerd
Copy link
Author

bauerd commented Jan 18, 2022

Hi, don't worry and take your time 👍 For the record, I also tested this on GKE.

FedeDP
FedeDP reviewed Feb 1, 2022
View reviewed changes
falco/templates/daemonset.yaml
{{- if .Values.leastPrivileged.enabled }}
capabilities:
add:
- BPF
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that this requires runc 1.0.0-rc93 onwards: https://github.com/opencontainers/runc/pull/2553/files.
In older versions, this won't work.

leogr
leogr reviewed Feb 1, 2022
View reviewed changes
Copy link
Member

@leogr leogr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

quick update:

  • I believe this can work only with ebpf (see my suggestion below)
  • There's a conflict; the PR needs a rebase

cc @bauerd
I'm still testing this PR. Once done, I can fix the comment and do the rebase by myself (so no action is required by you). Then, I'll give my final approval :)

@FedeDP
Copy link
Contributor

FedeDP commented Feb 8, 2022
edited
Loading

Hi @bauerd !
I tried on GKE 1.21.6-gke.1500 with kernel 5.10.90+; your chart leads to

  • eBPF probe located in /root/.falco/falco_cos_5.4.144+_1.o
  • Success: eBPF probe symlinked to /root/.falco/falco-bpf.o
    Tue Feb 8 10:00:50 2022: Falco version 0.30.0 (driver version 3aa7a83bf7b9e6229a3824e3fd1f4452d1e95cb4)
    Tue Feb 8 10:00:50 2022: Falco initialized with configuration file /etc/falco/falco.yaml
    Tue Feb 8 10:00:50 2022: Loading rules from file /etc/falco/falco_rules.yaml:
    Tue Feb 8 10:00:51 2022: Loading rules from file /etc/falco/falco_rules.local.yaml:
    Tue Feb 8 10:00:51 2022: Loading rules from file /etc/falco/falco_rules.local.yaml:
    Tue Feb 8 10:00:51 2022: Unable to load the driver.
    Tue Feb 8 10:00:51 2022: Runtime error: can't create map: Errno 1. Exiting.
    Tue Feb 8 10:00:51 2022: Unable to load the driver.
    Tue Feb 8 10:00:51 2022: Runtime error: can't create map: Errno 1. Exiting.

I tried adding CAP_TRACING (as suggested here) and CAP_PTRACE. Still same error.

In the end, i tried with CAP_SYS_ADMIN too (just to check that everything was working fine), and obviously it worked.

Any hint?

EDIT: looking around, i found this issue: falcosecurity/falco#1299

EDIT2: it seems like i was using a 5.4 kernel after all (uname was run on the "master" machine instead of real nodes); these tests make no sense :)

EDIT3: tested on latest GKE version available (1.23.2) where nodes use kernel 5.10.68+.
Everything works fine, as expected!

@paulopontesm
Copy link

Can this be merged? Is there something missing?

@leogr
Copy link
Member

leogr commented Feb 22, 2022

Quick update:

We have done some investigation and testing. In the end, we discovered that:

  • this approach can currently work only with eBPF and kernel >= 5.8
  • it also requires runc >= 1.0.0-rc93 (otherwise some capabilities won't work)
  • CAP_PTRACE is required (even if Falco does not use ptrace) when using --pid=host (it allows to read from processes environ). That was needed only when HOST_ROOT=/, but it's not the case for the helm chart.

So, I will rebase this PR soon and likely give my approval.

I will keep you posted.

Dominic Bauer and others added 4 commits February 22, 2022 15:54
@leogr
Introduce leastPrivilege.enabled value to enable capabilities
46056b9 
Signed-off-by: Dominic Bauer <dbauer@gitlab.com>
@leogr
Bump to v1.16.4
4e2024f 
Signed-off-by: Dominic Bauer <dbauer@gitlab.com>
@leogr
Note that kernel module cannot be loaded when unprivileged
826f426 
Signed-off-by: Dominic Bauer <dbauer@gitlab.com>
@leogr
docs(falco): leastPrivileged works with eBPF only
6a9bf88 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
leogr
leogr approved these changes Feb 22, 2022
View reviewed changes
Copy link
Member

@leogr leogr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

Note:
I've rebased the PR and resolved some conflicts.
Also added a commit to clarify this option can only work with ebpf.

@poiana poiana added the lgtm label Feb 22, 2022
@poiana
Copy link
Contributor

poiana commented Feb 22, 2022

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bauerd, leogr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@poiana
Copy link
Contributor

poiana commented Feb 22, 2022

LGTM label has been added.

Git tree hash: 88d4b866611df5af9665c051f6629c96964611c4

@poiana poiana merged commit 11c83ac into falcosecurity:master Feb 22, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@FedeDP FedeDP FedeDP left review comments

@leogr leogr leogr approved these changes

@bencer bencer Awaiting requested review from bencer

@nestorsalceda nestorsalceda Awaiting requested review from nestorsalceda

Assignees

@leogr leogr

Labels
approved area/falco-chart dco-signoff: yes kind/feature New feature or request lgtm size/L
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@bauerd @poiana @leogr @FedeDP @paulopontesm