Is there a way to run as unprivileged?

[mrueg]

First of all, thanks for writing the plugin. Profiling on kubernetes is difficult and I'm looking forward to seeing if this plugin can ease the pain.

Currently, our clusters have a default podsecurity policy which disallow privileged containers.
Resulting in something like this, when I try to run the plugin:

2021/01/18 13:53:47 Job.batch "kubectl-flame-cx36dx4d-e2xe-4987-879a-d64776cb5543" is invalid: spec.template.spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy

I see this plugin needs to run the jobs on Kubernetes currently as privileged: https://github.com/VerizonMedia/kubectl-flame/blob/cb7290125d6d471bfb159be5e3ff3bf7178bef94/cli/cmd/kubernetes/job/python.go#L72 (same on jvm and golang)

Is there a way to reduce the number of privileges it needs to run? E.g. by setting the right capabilities?

[edeNFed]

Hi @mrueg
I'm currently working on switching from privileged pod to specific capabilities.
Hope to have it ready in a few days.
Thanks

[indrasvat]

@edeNFed, is it also possible to enhance the cli to support passing / specifying a custom securityContext (required in our k8s cluster pod security policy)? Say, something like below:

apiVersion: batch/v1
kind: Job
spec:
  template:
    metadata:
      name: kubectl-flame-226b6efa-60d7-4256-9317-8aca48862125
      namespace: my-app
    spec:
      securityContext:  # <--- Required
        fsGroup: 2000
        runAsNonRoot: true
        runAsUser: 1000
...

Thanks!

[o2themar]

@edeNFed Any plans to make it unprivileged? I'm running into the same issue as well when trying to use it in my cluster. Its been over a year since you mentioned you were making a change to add this feature.

[hi120ki]

Can I ask any updates on this unprivileged options? Thank you!