Can runAsUser: 0 and Privileged Mode Be Removed in eBPF Mode for falcon-node-sensor? #315
-
|
Hi, We've recently switched to the eBPF mode for the sensor, and I noticed that both the initContainer and falcon-node-sensor container are currently running as root with privileged mode enabled. In the eBPF mode, since the sensor no longer uses a kernel module, do the containers still need to run as root and in privileged mode? Additionally, are there any other security contexts (e.g., allowPrivilegeEscalation, readOnlyRootFilesystem) that can be safely removed or adjusted in this mode? Cheers |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
Hello @r3motecontrol I moved this to a discussion as it makes more sense as Q&A. To answer your question, yes. Switching from a kernel module to an eBPF program doesn't change that. For security reasons, many parts of eBPF functionality require root permissions and privileges ; otherwise, anyone could have carte blanche access to your system. So, all the permissions that you see are still required. |
Beta Was this translation helpful? Give feedback.
-
|
Perfect, thank you. |
Beta Was this translation helpful? Give feedback.
Hello @r3motecontrol
I moved this to a discussion as it makes more sense as Q&A.
To answer your question, yes. Switching from a kernel module to an eBPF program doesn't change that. For security reasons, many parts of eBPF functionality require root permissions and privileges ; otherwise, anyone could have carte blanche access to your system. So, all the permissions that you see are still required.