Skip to content

Commit 0442234

Browse files
bertschneiderbertschneider
committed
chore: extend security section in readme
1 parent e51a968 commit 0442234

File tree

1 file changed

+31
-13
lines changed

1 file changed

+31
-13
lines changed

README.md

Lines changed: 31 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -22,18 +22,18 @@ When installed as linux package this configuration is in`/etc/steadybit/extensio
2222

2323
The capabilities needed by this extension are: (which are provided by the helm chart)
2424

25-
- SYS_ADMIN
26-
- SYS_RESOURCE
27-
- SYS_BOOT
28-
- NET_RAW
29-
- SYS_TIME
30-
- SYS_PTRACE
31-
- KILL
32-
- NET_ADMIN
33-
- DAC_OVERRIDE
34-
- SETUID
35-
- SETGID
36-
- AUDIT_WRITE
25+
- `SYS_ADMIN`
26+
- `SYS_RESOURCE`
27+
- `SYS_BOOT`
28+
- `NET_RAW`
29+
- `SYS_TIME`
30+
- `SYS_PTRACE`
31+
- `KILL`
32+
- `NET_ADMIN`
33+
- `DAC_OVERRIDE`
34+
- `SETUID`
35+
- `SETGID`
36+
- `AUDIT_WRITE`
3737

3838
## Installation
3939

@@ -87,9 +87,27 @@ Make sure that the extension is registered with the agent. In most cases this is
8787
the [documentation](https://docs.steadybit.com/install-and-configure/install-agent/extension-discovery) for more
8888
information about extension registration and how to verify.
8989

90+
## Security
91+
92+
We try to limit the access needed for the extension to the absolute minimum. So the extension itself can run as a
93+
non-root user on a read-only root file-system and will, by default, if deployed using the provided helm chart.
94+
95+
In order to execute certain actions the extension needs extended capabilities, see details below.
96+
97+
### Resource and network attacks
98+
99+
Resource attacks start `stress-ng` or other resource attacking processes, and network attacks start `ip` or `tc` processes,
100+
as runc container (sidecar) using the root user (`uid=0`, `gid=0`) and reusing the target container's linux namespace(s)
101+
and control group(s). These processes are short-lived and terminated after the attack is finished.
102+
103+
This requires the following capabilities:
104+
`CAP_SYS_ADMIN`, `CAP_SYS_CHROOT`, `CAP_SYS_RESOURCE`, `CAP_SYS_BOOT`, `CAP_NET_RAW`, `CAP_SYS_TIME`, `CAP_SYS_PTRACE`,
105+
`CAP_KILL`, `CAP_NET_ADMIN`, `CAP_DAC_OVERRIDE`, `CAP_SETUID`, `CAP_SETGID`, `CAP_AUDIT_WRITE`
106+
90107
## Troubleshooting
91108

92-
When the host is using cgroups v2 and the cgroup filesystem is mounted using the `nsdelegate` option will prevent that the action running processces in other cgroups (e.g. stress cpu/memory, disk fill) will fail.
109+
Using cgroups v2 on the host and `nsdelegate` to mount the cgroup filesystem will prevent
110+
the action from running processes in other cgroups (e.g. stress cpu/memory, disk fill).
93111
In that case you need to remount the cgroup filesystem without the `nsdelegate` option.
94112

95113
```sh

0 commit comments

Comments
 (0)