CloudNativeSecurityCon North America 2024

You can do so much with eBPF, with so little code. You can easily and cheaply get insights on connectivity, networking, security and performance. One drawback is that these eBPF probes require elevated permissions, in order to be loaded and to perform their job. But what permissions exactly? Can we avoid ‘privileged:true’ in the Kubernetes securityContext, and in what situations? This talk focuses on exploring the mapping between the Linux security capabilities, which can be configured in the Kubernetes securityContext, and eBPF capabilities. We discuss some of the learnings on when even CAP_SYS_ADMIN is not enough and how to avoid the dreaded ‘privileged: true’. We go into detail on the fine boundaries of what capabilities some common eBPF features require and where the lines are drawn. We explore when the CAP_BPF capability is enough, and what additional privileges are required for what types of instrumentation to avoid CAP_SYS_ADMIN.