Worker component security context refactoring (#1707)

* Add new security context config * Fine-grained template for securityContext --------- Co-authored-by: Alon Girmonsky <1990761+alongir@users.noreply.github.com>
2026-02-14 10:00:08 +00:00 · 2025-02-03 23:38:41 +02:00
parent 46ca7e3ad7
commit 3d4606d439
4 changed files with 138 additions and 45 deletions
--- a/config/configStruct.go
+++ b/config/configStruct.go
@@ -51,31 +51,35 @@ func CreateDefaultConfig() ConfigStruct {
 					},
 				},
 			},
-			Capabilities: configStructs.CapabilitiesConfig{
-				NetworkCapture: []string{
-					// NET_RAW is required to listen the network traffic
-					"NET_RAW",
-					// NET_ADMIN is required to listen the network traffic
-					"NET_ADMIN",
-				},
-				ServiceMeshCapture: []string{
-					// SYS_ADMIN is required to read /proc/PID/net/ns + to install eBPF programs (kernel < 5.8)
-					"SYS_ADMIN",
-					// SYS_PTRACE is required to set netns to other process + to open libssl.so of other process
-					"SYS_PTRACE",
-					// DAC_OVERRIDE is required to read /proc/PID/environ
-					"DAC_OVERRIDE",
-				},
-				EBPFCapture: []string{
-					// SYS_ADMIN is required to read /proc/PID/net/ns + to install eBPF programs (kernel < 5.8)
-					"SYS_ADMIN",
-					// SYS_PTRACE is required to set netns to other process + to open libssl.so of other process
-					"SYS_PTRACE",
-					// SYS_RESOURCE is required to change rlimits for eBPF
-					"SYS_RESOURCE",
-					// IPC_LOCK is required for ebpf perf buffers allocations after some amount of size buffer size:
-					// https://github.com/kubeshark/tracer/blob/13e24725ba8b98216dd0e553262e6d9c56dce5fa/main.go#L82)
-					"IPC_LOCK",
+			SecurityContext: configStructs.SecurityContextConfig{
+				Privileged: true,
+				// Capabilities used only when running in unprivileged mode
+				Capabilities: configStructs.CapabilitiesConfig{
+					NetworkCapture: []string{
+						// NET_RAW is required to listen the network traffic
+						"NET_RAW",
+						// NET_ADMIN is required to listen the network traffic
+						"NET_ADMIN",
+					},
+					ServiceMeshCapture: []string{
+						// SYS_ADMIN is required to read /proc/PID/net/ns + to install eBPF programs (kernel < 5.8)
+						"SYS_ADMIN",
+						// SYS_PTRACE is required to set netns to other process + to open libssl.so of other process
+						"SYS_PTRACE",
+						// DAC_OVERRIDE is required to read /proc/PID/environ
+						"DAC_OVERRIDE",
+					},
+					EBPFCapture: []string{
+						// SYS_ADMIN is required to read /proc/PID/net/ns + to install eBPF programs (kernel < 5.8)
+						"SYS_ADMIN",
+						// SYS_PTRACE is required to set netns to other process + to open libssl.so of other process
+						"SYS_PTRACE",
+						// SYS_RESOURCE is required to change rlimits for eBPF
+						"SYS_RESOURCE",
+						// IPC_LOCK is required for ebpf perf buffers allocations after some amount of size buffer size:
+						// https://github.com/kubeshark/tracer/blob/13e24725ba8b98216dd0e553262e6d9c56dce5fa/main.go#L82)
+						"IPC_LOCK",
+					},
 				},
 			},
 			Auth: configStructs.AuthConfig{
--- a/config/configStructs/tapConfig.go
+++ b/config/configStructs/tapConfig.go
@@ -251,6 +251,25 @@ type PortMapping struct {
 	DIAMETER []uint16 `yaml:"diameter" json:"diameter"`
 }

+type SecurityContextConfig struct {
+	Privileged      bool                  `yaml:"privileged" json:"privileged" default:"true"`
+	AppArmorProfile AppArmorProfileConfig `yaml:"appArmorProfile" json:"appArmorProfile"`
+	SeLinuxOptions  SeLinuxOptionsConfig  `yaml:"seLinuxOptions" json:"seLinuxOptions"`
+	Capabilities    CapabilitiesConfig    `yaml:"capabilities" json:"capabilities"`
+}
+
+type AppArmorProfileConfig struct {
+	Type             string `yaml:"type" json:"type"`
+	LocalhostProfile string `yaml:"localhostProfile" json:"localhostProfile"`
+}
+
+type SeLinuxOptionsConfig struct {
+	Level string `yaml:"level" json:"level"`
+	Role  string `yaml:"role" json:"role"`
+	Type  string `yaml:"type" json:"type"`
+	User  string `yaml:"user" json:"user"`
+}
+
 type TapConfig struct {
 	Docker                       DockerConfig            `yaml:"docker" json:"docker"`
 	Proxy                        ProxyConfig             `yaml:"proxy" json:"proxy"`
@@ -286,7 +305,6 @@ type TapConfig struct {
 	Sentry                       SentryConfig            `yaml:"sentry" json:"sentry"`
 	DefaultFilter                string                  `yaml:"defaultFilter" json:"defaultFilter" default:"!dns and !error"`
 	LiveConfigMapChangesDisabled bool                    `yaml:"liveConfigMapChangesDisabled" json:"liveConfigMapChangesDisabled" default:"false"`
-	Capabilities                 CapabilitiesConfig      `yaml:"capabilities" json:"capabilities"`
 	GlobalFilter                 string                  `yaml:"globalFilter" json:"globalFilter" default:""`
 	EnabledDissectors            []string                `yaml:"enabledDissectors" json:"enabledDissectors"`
 	PortMapping                  PortMapping             `yaml:"portMapping" json:"portMapping"`
@@ -294,6 +312,7 @@ type TapConfig struct {
 	Metrics                      MetricsConfig           `yaml:"metrics" json:"metrics"`
 	Pprof                        PprofConfig             `yaml:"pprof" json:"pprof"`
 	Misc                         MiscConfig              `yaml:"misc" json:"misc"`
+	SecurityContext              SecurityContextConfig   `yaml:"securityContext" json:"securityContext"`
 }

 func (config *TapConfig) PodRegex() *regexp.Regexp {