-
Notifications
You must be signed in to change notification settings - Fork 876
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Legacy eBPF] Falco doesn't work on GKE cluster(v1.24) #2874
Comments
Could you be more specific about the GKE version?
BTW apart from the version, the issue here is that bpf verifier doesn't pass on this kernel. I don't think we can fix this at the moment, if the kernel supports it, maybe a good idea could be to use the If you really need to use the legacy ebpf probe probably the best solution at the moment is to bump the GKE version. For example, this morning I tried |
I guess the gke version is not the reason because I have tried to deploy it in anther cluster with GKE version v1.27.5-gke.200 and kernel version 5.15.120 and the same issue. But I have successfully deployed in third cluster with GKE version v1.25.5-gke.1500 and kernel version 5.15.65. Let me test with modern-bpf. |
Uhm that's interesting yesterday I tried |
I have tried moder-bpf in v1.27.5-gke.200 GKE cluster with Kernel version5.15.120+ and got libpman: ring buffer map type is not supported (errno: 1 | message: Operation not permitted) error . I have used this options in helm chart values.
Also I have tired with ebpf in the same environment and got setrlimit failed: Operation not permitted error with the following values. I saw that there was an opened issue for this error. And as I understand the solution was to use CAP_SYS_ADMIN capability depends on kernel version
|
Uhm this is strange, I've tried your same environment and it works for me... gcloud container clusters create falco-test-1 \
--release-channel=rapid \
--cluster-version=1.27.5-gke.200 \
--zone=europe-west1-c \
--image-type=cos_containerd \
--machine-type=e2-medium So diff --git a/falco/values.yaml b/falco/values.yaml
index c6ed654..a3e7558 100644
--- a/falco/values.yaml
+++ b/falco/values.yaml
@@ -179,7 +179,7 @@ driver:
# Always set it to false when using Falco with plugins.
enabled: true
# -- Tell Falco which driver to use. Available options: module (kernel driver), ebpf (eBPF probe), modern-bpf (modern eBPF probe).
- kind: module
+ kind: modern-bpf
# -- Configuration section for ebpf driver.
ebpf:
# -- Path where the eBPF probe is located. It comes handy when the probe have been installed in the nodes using tools other than the init
@@ -194,7 +194,7 @@ driver:
# On kernel versions >= 5.8 'CAP_PERFMON' and 'CAP_BPF' could replace 'CAP_SYS_ADMIN' but please pay attention to the 'kernel.perf_event_paranoid' value on your system.
# Usually 'kernel.perf_event_paranoid>2' means that you cannot use 'CAP_PERFMON' and you should fallback to 'CAP_SYS_ADMIN', but the behavior changes across different distros.
# Read more on that here: https://falco.org/docs/event-sources/kernel/#least-privileged-mode-1
- leastPrivileged: false
+ leastPrivileged: true
# -- Configuration section for modern bpf driver.
modern_bpf:
# -- Constrain Falco with capabilities instead of running a privileged container. It works also with
Yes exactly, the privileges required to run the legacy bpf probe really depend on the environment you use, you can find more info here https://falco.org/docs/event-sources/kernel/#least-privileged-mode-1 |
I have upgraded chart version from 3.7.1 -> 3.8.0 and with modern-bpf it worked! |
You are welcome! I will close this issue, feel free to reopen it if necessary! These are the necessary changes to run it with helm chart diff --git a/falco/values.yaml b/falco/values.yaml
index c6ed654..a3e7558 100644
--- a/falco/values.yaml
+++ b/falco/values.yaml
@@ -179,7 +179,7 @@ driver:
# Always set it to false when using Falco with plugins.
enabled: true
# -- Tell Falco which driver to use. Available options: module (kernel driver), ebpf (eBPF probe), modern-bpf (modern eBPF probe).
- kind: module
+ kind: modern-bpf
# -- Configuration section for ebpf driver.
ebpf:
# -- Path where the eBPF probe is located. It comes handy when the probe have been installed in the nodes using tools other than the init
@@ -194,7 +194,7 @@ driver:
# On kernel versions >= 5.8 'CAP_PERFMON' and 'CAP_BPF' could replace 'CAP_SYS_ADMIN' but please pay attention to the 'kernel.perf_event_paranoid' value on your system.
# Usually 'kernel.perf_event_paranoid>2' means that you cannot use 'CAP_PERFMON' and you should fallback to 'CAP_SYS_ADMIN', but the behavior changes across different distros.
# Read more on that here: https://falco.org/docs/event-sources/kernel/#least-privileged-mode-1
- leastPrivileged: false
+ leastPrivileged: true
# -- Configuration section for modern bpf driver.
modern_bpf:
# -- Constrain Falco with capabilities instead of running a privileged container. It's possible that the legacy probe won't work on all kernel versions but if the modern probe works we are good, the idea is to have at least one of the 2 working on the widest possible range of kernels |
@EdikAndriasyan reposting your initial question #2869 (comment)
The text was updated successfully, but these errors were encountered: