What linux capabilities needed to run as non-root?

[winston0410]

I am trying to harden vector, and I have the following securityContext. This is a kustomize patch:

spec:
  template:
    spec:
      automountServiceAccountToken: false
      securityContext:
        fsGroup: 65534
        seccompProfile:
          type: RuntimeDefault
      containers:
        - imagePullPolicy: IfNotPresent
          name: vector
          image: timberio/vector:0.38.X-debian
          securityContext:
            runAsNonRoot: true
            runAsUser: 65534
            runAsGroup: 65534
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            capabilities:
              drop:
                - ALL

After setting that, I have the following error:

2024-07-04T22:33:56.683347Z ERROR source{component_kind="source" component_id=kubernetes_logs component_type=kubernetes_logs}:file_server: vector::internal_events::file::source: Failed reading file for fingerprinting. file=/var/log/pods/knative-eventing_eventing-controller-7d97757877-j66wl_5967ff0d-41b1-4c55-9a91-93c5db5d73a9/eventing-controller/0.log error=Permission denied (os error 13) error_code="reading_fingerprint" error_type="reader_failed" stage="receiving" internal_log_rate_limit=true

I have tried to add CAP_DAC_OVERRIDE and CHOWN to the capabilities, but still I have the same error. What capabilities I need to add to the container, to make the above error disappear?

[jszwedko]

I think the issue here is that the user you are running vector as in the container doesn't have permissions to read the k8s log files from disk. I think best-practice would be to give the user permissions, but otherwise I think CAP_FOWNER might do it 🤔

[winston0410]

Thank you for your reply. I have tested with CAP_FOWNER, and vector is now running perfectly with nobody. Just in case anyone needs it:

      containers:
        - imagePullPolicy: IfNotPresent
          name: vector
          image: timberio/vector:0.38.X-debian
          securityContext:
            runAsNonRoot: true
            runAsUser: 65534
            runAsGroup: 65534
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            capabilities:
              drop:
                - ALL
              add:
                - CAP_FOWNER

[mjnagel]

@winston0410 is this setup still working for you? I've been unable to run as a nonroot/nobody user. I see issues trying to write to the persistence dir (/var/lib/vector) as well as failures to read files for fingerprinting. While Vector does "start" if I disable persistence, it doesn't seem to have access to most log files. The only exception is a log file on my host that has read permissions for other, which would work regardless.