← Back to context Comment by somanyphotons 1 year ago Presumably eBPF requires root privs? 7 comments somanyphotons Reply trallnag 1 year ago I'm having a hard time coming up with a use case where I want to use a tool like that but I'm also lacking root privileges freedomben 1 year ago Inside most production environments. I could use this today inside a Pod that isn't allowed root privs. dgl 1 year ago This won't work in most cases inside a Kubernetes pod, as the default seccomp policies don't allow creating namespaces within them. You can obviously relax the seccomp policies, but at that point you can also just give yourself the capabilities.There are eBPF tools which will work, for example https://inspektor-gadget.io/docs/latest/gadgets/trace_ssl zamubafoo 1 year ago In production environments that won't give you root access, you won't be exec'ing inside of a pod if you aren't an operator or sysadmin. 2 replies →
trallnag 1 year ago I'm having a hard time coming up with a use case where I want to use a tool like that but I'm also lacking root privileges freedomben 1 year ago Inside most production environments. I could use this today inside a Pod that isn't allowed root privs. dgl 1 year ago This won't work in most cases inside a Kubernetes pod, as the default seccomp policies don't allow creating namespaces within them. You can obviously relax the seccomp policies, but at that point you can also just give yourself the capabilities.There are eBPF tools which will work, for example https://inspektor-gadget.io/docs/latest/gadgets/trace_ssl zamubafoo 1 year ago In production environments that won't give you root access, you won't be exec'ing inside of a pod if you aren't an operator or sysadmin. 2 replies →
freedomben 1 year ago Inside most production environments. I could use this today inside a Pod that isn't allowed root privs. dgl 1 year ago This won't work in most cases inside a Kubernetes pod, as the default seccomp policies don't allow creating namespaces within them. You can obviously relax the seccomp policies, but at that point you can also just give yourself the capabilities.There are eBPF tools which will work, for example https://inspektor-gadget.io/docs/latest/gadgets/trace_ssl zamubafoo 1 year ago In production environments that won't give you root access, you won't be exec'ing inside of a pod if you aren't an operator or sysadmin. 2 replies →
dgl 1 year ago This won't work in most cases inside a Kubernetes pod, as the default seccomp policies don't allow creating namespaces within them. You can obviously relax the seccomp policies, but at that point you can also just give yourself the capabilities.There are eBPF tools which will work, for example https://inspektor-gadget.io/docs/latest/gadgets/trace_ssl
zamubafoo 1 year ago In production environments that won't give you root access, you won't be exec'ing inside of a pod if you aren't an operator or sysadmin. 2 replies →
I'm having a hard time coming up with a use case where I want to use a tool like that but I'm also lacking root privileges
Inside most production environments. I could use this today inside a Pod that isn't allowed root privs.
This won't work in most cases inside a Kubernetes pod, as the default seccomp policies don't allow creating namespaces within them. You can obviously relax the seccomp policies, but at that point you can also just give yourself the capabilities.
There are eBPF tools which will work, for example https://inspektor-gadget.io/docs/latest/gadgets/trace_ssl
In production environments that won't give you root access, you won't be exec'ing inside of a pod if you aren't an operator or sysadmin.
2 replies →