diff --git a/charts/beyla/templates/daemon-set.yaml b/charts/beyla/templates/daemon-set.yaml index e05eb85fd..50879bb5a 100644 --- a/charts/beyla/templates/daemon-set.yaml +++ b/charts/beyla/templates/daemon-set.yaml @@ -25,9 +25,6 @@ spec: {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} - {{- if not (.Values.privileged) }} - container.apparmor.security.beta.kubernetes.io/beyla: "unconfined" - {{- end }} labels: {{- include "beyla.labels" . | nindent 8 }} app.kubernetes.io/component: workload @@ -45,31 +42,6 @@ spec: {{- if .Values.priorityClassName }} priorityClassName: {{ .Values.priorityClassName }} {{- end }} - {{- if not (.Values.privileged) }} - initContainers: - - name: mount-bpf-fs - image: {{ .Values.global.image.registry | default .Values.image.registry }}/{{ .Values.image.repository }}{{ include "beyla.imageId" . }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - args: - - 'mkdir -p /sys/fs/bpf/$BEYLA_BPF_FS_PATH && mount -t bpf bpf /sys/fs/bpf/$BEYLA_BPF_FS_PATH' - command: - - /bin/bash - - -c - - -- - securityContext: - privileged: true - volumeMounts: - - name: bpffs - mountPath: /sys/fs/bpf - mountPropagation: Bidirectional - env: - - name: KUBE_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: BEYLA_BPF_FS_PATH - value: beyla-$(KUBE_NAMESPACE) - {{- end }} containers: - name: beyla image: {{ .Values.global.image.registry | default .Values.image.registry }}/{{ .Values.image.repository }}{{ include "beyla.imageId" . }} @@ -114,16 +86,6 @@ spec: env: - name: BEYLA_CONFIG_PATH value: "/etc/beyla/config/beyla-config.yml" - {{- if not (.Values.privileged) }} - - name: KUBE_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: BEYLA_BPF_FS_PATH - value: beyla-$(KUBE_NAMESPACE) - - name: BEYLA_BPF_FS_BASE_DIR - value: /sys/fs/bpf - {{- end }} {{- range $key, $value := .Values.env }} - name: {{ $key }} value: "{{ $value }}" @@ -136,11 +98,6 @@ spec: volumeMounts: - mountPath: /etc/beyla/config name: beyla-config - {{- if not (.Values.privileged) }} - - name: bpffs - mountPath: /sys/fs/bpf - mountPropagation: HostToContainer - {{- end }} {{- if or .Values.global.image.pullSecrets .Values.image.pullSecrets }} imagePullSecrets: {{- if .Values.global.image.pullSecrets }} @@ -165,8 +122,3 @@ spec: - name: beyla-config configMap: name: {{ default (include "beyla.fullname" .) .Values.config.name }} - {{- if not (.Values.privileged) }} - - name: bpffs - hostPath: - path: /sys/fs/bpf - {{- end }} diff --git a/docs/sources/setup/kubernetes.md b/docs/sources/setup/kubernetes.md index f7fcc7f10..5474d2a1c 100644 --- a/docs/sources/setup/kubernetes.md +++ b/docs/sources/setup/kubernetes.md @@ -259,15 +259,6 @@ To run Beyla unprivileged, you need to run a `privileged` init container which p - `CAP_PERFMON` is required to load BPF programs, i.e. be able to perform `perf_event_open()`. - `CAP_SYS_RESOURCE` is required only on kernels **< 5.11** so that Beyla can increase the amount of locked memory available. -In addition to these Linux capabilities, many Kubernetes versions include [AppArmour](https://kubernetes.io/docs/tutorials/security/apparmor/), which tough policies adds additional restrictions to unprivileged containers. By [default](https://github.com/moby/moby/blob/master/profiles/apparmor/template.go), the AppArmour policy restricts the use of `mount` and the access to `/sys/fs/` directories. Beyla uses the BPF Linux file system to store pinned BPF maps, for communication among the different BPF programs. For this reason, Beyla either needs to `mount` a BPF file system, or write to `/sys/fs/bpf`, which are both restricted. - -Because of the AppArmour restriction, to run Beyla as unprivileged container, you need to either: - -- Set `container.apparmor.security.beta.kubernetes.io/beyla: "unconfined"` in your Kubernetes deployment files. -- Set a modified AppArmour policy which allows Beyla to perform `mount`. - -**Note** Since the `beyla` container does not have the privileges required to mount or un-mount the BPF filesystem, this sample leaves the BPF filesystem mounted on the host, even after the sample is deleted. This samples uses a unique path for each namespace to ensure re-use the same mount if Beyla is re-deployed, but to avoid collisions if multiple instances of Beyla is run in different namespaces. - **Note** Loading BPF programs requires that Beyla is able to read the Linux performance events, or at least be able to execute the Linux Kernel API `perf_event_open()`. This permission is granted by `CAP_PERFMON` or more liberally through `CAP_SYS_ADMIN`. Since both `CAP_PERFMON` and `CAP_SYS_ADMIN` grant Beyla the permission to read performance events, you should use `CAP_PERFMON` because it grants lesser permissions. However, at system level, the access to the performance @@ -297,40 +288,9 @@ spec: metadata: labels: k8s-app: beyla - annotations: - # We need to set beyla container as unconfined so it is able to write - # the BPF file system. - # Instead of 'unconfined', you can define a more refined policy which allows Beyla to use 'mount' - container.apparmor.security.beta.kubernetes.io/beyla: "unconfined" # <-- Important spec: serviceAccount: beyla hostPID: true # <-- Important. Required in Daemonset mode so Beyla can discover all monitored processes - initContainers: - - name: mount-bpf-fs - image: grafana/beyla:latest - args: - # Create the directory and mount the BPF filesystem. - - 'mkdir -p /sys/fs/bpf/$BEYLA_BPF_FS_PATH && mount -t bpf bpf /sys/fs/bpf/$BEYLA_BPF_FS_PATH' - command: - - /bin/bash - - -c - - -- - securityContext: - # The init container is privileged so that it can use bidirectional mount propagation - privileged: true - volumeMounts: - - name: bpffs - mountPath: /sys/fs/bpf - # Make sure the mount is propagated back to the host so it can be used by the Beyla container - mountPropagation: Bidirectional - env: - - name: KUBE_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - # Use a unique path for each namespace to prevent collisions with other namespaces. - - name: BEYLA_BPF_FS_PATH - value: beyla-$(KUBE_NAMESPACE) containers: - name: beyla terminationMessagePolicy: FallbackToLogsOnError @@ -344,11 +304,6 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - # Use a unique path for each namespace to prevent collisions with other namespaces. - - name: BEYLA_BPF_FS_PATH - value: beyla-$(KUBE_NAMESPACE) - - name: BEYLA_BPF_FS_BASE_DIR - value: /sys/fs/bpf ... securityContext: runAsUser: 0 @@ -370,9 +325,6 @@ spec: mountPath: /var/run/beyla - name: cgroup mountPath: /sys/fs/cgroup - - name: bpffs - mountPath: /sys/fs/bpf - mountPropagation: HostToContainer # <-- Important. Allows Beyla to see the BPF mount from the init container tolerations: - effect: NoSchedule operator: Exists @@ -384,9 +336,6 @@ spec: - name: cgroup hostPath: path: /sys/fs/cgroup - - name: bpffs - hostPath: - path: /sys/fs/bpf --- apiVersion: apps/v1 kind: Deployment diff --git a/examples/k8s/unprivileged.yaml b/examples/k8s/unprivileged.yaml index 90d263f48..d1b39c0c7 100644 --- a/examples/k8s/unprivileged.yaml +++ b/examples/k8s/unprivileged.yaml @@ -82,46 +82,9 @@ spec: metadata: labels: k8s-app: beyla - annotations: - # We need to set beyla container as unconfined so it is able to write - # the BPF file system. - # Otherwise, we can have error like: - # "failed to create server failed to create or mount folder for pinning bpf maps: can't mount BPF filesystem: permission denied"" - # - # Default rules can be found here: https://github.com/moby/moby/blob/master/profiles/apparmor/template.go - # Both 'mount' and access to /sys/fs/bpf are denied by default. - # - # Instead of 'unconfined', you can define a more refined policy which allows Beyla to use 'mount' - container.apparmor.security.beta.kubernetes.io/beyla: "unconfined" # <-- Important spec: serviceAccount: beyla hostPID: true # <-- Important. Required in Daemonset mode so Beyla can discover all monitored processes - initContainers: - - name: mount-bpf-fs - image: grafana/beyla:latest - args: - # Create the directory and mount the BPF filesystem. - - 'mkdir -p /sys/fs/bpf/$BEYLA_BPF_FS_PATH && mount -t bpf bpf /sys/fs/bpf/$BEYLA_BPF_FS_PATH' - command: - - /bin/bash - - -c - - -- - securityContext: - # The init container is privileged so that it can use bidirectional mount propagation - privileged: true - volumeMounts: - - name: bpffs - mountPath: /sys/fs/bpf - # Make sure the mount is propagated back to the host so it can be used by the Beyla container - mountPropagation: Bidirectional - env: - - name: KUBE_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - # Use a unique path for each namespace to prevent collisions with other namespaces. - - name: BEYLA_BPF_FS_PATH - value: beyla-$(KUBE_NAMESPACE) containers: - name: beyla terminationMessagePolicy: FallbackToLogsOnError @@ -143,11 +106,6 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - # Use a unique path for each namespace to prevent collisions with other namespaces. - - name: BEYLA_BPF_FS_PATH - value: beyla-$(KUBE_NAMESPACE) - - name: BEYLA_BPF_FS_BASE_DIR - value: /sys/fs/bpf securityContext: runAsUser: 0 readOnlyRootFilesystem: true @@ -168,9 +126,6 @@ spec: mountPath: /var/run/beyla - name: cgroup mountPath: /sys/fs/cgroup - - name: bpffs - mountPath: /sys/fs/bpf - mountPropagation: HostToContainer # <-- Important. Allows Beyla to see the BPF mount from the init container tolerations: - effect: NoSchedule operator: Exists @@ -182,9 +137,6 @@ spec: - name: cgroup hostPath: path: /sys/fs/cgroup - - name: bpffs - hostPath: - path: /sys/fs/bpf --- apiVersion: apps/v1 kind: Deployment