New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Falco keeps restarting when run with ebpf driver in least privilege mode #3106
Comments
@Nnoromuche There are some possible reasons for this issue, in my case when I was running Falco in the least privileged mode it didn't have the necessary permissions to load the eBPF driver. If we use Pod Security policies in the Kubernetes cluster, they might restrict the capabilities of the Falco pods, preventing them from loading the eBPF driver. Here are the key permissions required to run Falco with eBPF driver:
You can check whether these necessary permissions are given or not in Kubernetes least privileged mode. |
@rashim27us thanks, I am running falco with the below
The
Wondering is there a missing configuration in the above |
Describe the bug
When I run falco as a demonset in least priviledge mode using the edpf driver on a red hat enterprise linux 8.9, I see multiple falco process restarts in the logs on a kubernetes environment. When I run falco with the edpf driver in privilege mode, it works fine, however running in least privilege results in multiple restarts.
How to reproduce it
Add the following capabilities to the security context in the deployment.yaml file
Logs shows
Expected behaviour
I will like falco to run in least priviledge mode on a red hat enterprise linux 8.9 machine without multiple restarts.
Environment
The text was updated successfully, but these errors were encountered: