Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to run terragon operator deployment as user.. not as root #3385

Open
2 tasks done
chaithraPadmar opened this issue Feb 11, 2025 · 2 comments
Open
2 tasks done

How to run terragon operator deployment as user.. not as root #3385

chaithraPadmar opened this issue Feb 11, 2025 · 2 comments
Labels
kind/enhancement This improves or streamlines existing functionality

Comments

@chaithraPadmar
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Is your feature request related to a problem?

Hi,
We would like to know, How to run terragon operator deployment as user.. not as root

Describe the feature you would like

Want to know how to install tetragon as user not as root

Describe your proposed solution

No response

Code of Conduct

  • I agree to follow this project's Code of Conduct
@chaithraPadmar chaithraPadmar added the kind/enhancement This improves or streamlines existing functionality label Feb 11, 2025
@kkourt
Copy link
Contributor

kkourt commented Feb 11, 2025

I don't believe the tetragon operator runs as root:

tetragon/install/kubernetes/tetragon/values.yaml

Lines 259 to 266 in 0d9b619

# -- securityContext for the Tetragon Operator Deployment Pods.
securityContext: {}
# -- securityContext for the Tetragon Operator Deployment Pod container.
podSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
.

@mtardy
Copy link
Member

mtardy commented Feb 28, 2025
edited
Loading

So even if we drop all capabilities it does technically run as root (because Kubernetes and thus the container runtime will start all process as root by default). I think it would be wise to add runAsUser: <someID> to the security context if we can so that we don't even run as root with no capabilities but as a user with no capabilities.

We could even in theory ship this directly in the Dockerfiles manifest so that the runtime starts this by default as non-root.

In the meantime @chaithraPadmar, you can use the securityContext in the helm chart for the tetragon operator deployment to add runAsUser. The name is misleading as the podSecurityContext is the containerSecurityContext and the securityContext is the podSecurityContext it seems from the template:

tetragon/install/kubernetes/tetragon/templates/operator_deployment.yaml

Lines 52 to 81 in 0d9b619

{{- with .Values.tetragonOperator.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 10 }}
{{- end }}
{{- if .Values.tetragonOperator.prometheus.enabled }}
ports:
- name: metrics
containerPort: {{ .Values.tetragonOperator.prometheus.port }}
protocol: TCP
{{- end }}
livenessProbe:
httpGet:
path: /healthz
port: 8081
initialDelaySeconds: 15
periodSeconds: 20
readinessProbe:
httpGet:
path: /readyz
port: 8081
initialDelaySeconds: 5
periodSeconds: 10
{{- with .Values.tetragonOperator.resources }}
resources:
{{- toYaml . | trim | nindent 10 }}
{{- end }}
{{- with .Values.tetragonOperator.securityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}

We should also maybe fix this naming mistake.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/enhancement This improves or streamlines existing functionality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kkourt @mtardy @chaithraPadmar