-
Notifications
You must be signed in to change notification settings - Fork 349
Capabilities required by KubeArmor
Aryan Sharma edited this page Aug 8, 2024
·
1 revision
KubeArmor enhances security by monitoring and enforcing security policies at the kernel level. This involves managing various Linux capabilities to control system operations securely. This document details the capabilities used by KubeArmor.
-
SETUID
- Name: SETUID
-
Details:
- Usage in KubeArmor: SETUID is mainly required by apparmor parser in KubeArmor.
-
SETGID
- Name: SETGID
-
Details:
- Usage in KubeArmor: SETGID is mainly required by apparmor parser in KubeArmor.
-
SETPCAP
- Name: SETPCAP
-
Details:
- Usage in KubeArmor: KubeArmor uses SETPCAP to adjust process capabilities dynamically, ensuring that processes only have the privileges they need at any given time.
-
SYS_ADMIN
- Name: SYS_ADMIN
-
Details:
- Usage in KubeArmor: KubeArmor uses SYS_ADMIN to mount BPFs and work on BPF-related syscalls, which are essential for enforcing security policies and monitoring system activities.
-
SYS_PTRACE
- Name: SYS_PTRACE
-
Details:
- Usage in KubeArmor: KubeArmor uses SYS_PTRACE to monitor and trace process execution from procfs
-
MAC_ADMIN
- Name: MAC_ADMIN
-
Details:
- Usage in KubeArmor: KubeArmor uses MAC_ADMIN for managing LSM rules and for the loading of BPF programs.
-
SYS_RESOURCE
- Name: SYS_RESOURCE
-
Details:
- Usage in KubeArmor: SYS_RESOURCE is mainly needed by cilium/ebpf on kernel < 5.11 .
-
IPC_LOCK
- Name: IPC_LOCK
-
Details:
- Usage in KubeArmor: KubeArmor uses IPC_LOCK for locking memory using mmap and other related syscalls
-
CAP_DAC_OVERRIDE
- Name: CAP_DAC_OVERRIDE
-
Details:
- Usage in KubeArmor: CAP_DAC_OVERRIDE is mainly needed by cilium/ebpf.
-
CAP_DAC_READ_SEARCH
- Name: CAP_DAC_READ_SEARCH
-
Details:
- Usage in KubeArmor: CAP_DAC_READ_SEARCH is mainly needed by cilium/ebpf