diff --git a/integration-tests/pkg/collector/collector_docker.go b/integration-tests/pkg/collector/collector_docker.go index 327914646a..e9c4badee7 100644 --- a/integration-tests/pkg/collector/collector_docker.go +++ b/integration-tests/pkg/collector/collector_docker.go @@ -120,10 +120,17 @@ func (c *DockerCollectorManager) IsRunning() (bool, error) { } func (c *DockerCollectorManager) createCollectorStartConfig() (config.ContainerStartConfig, error) { + privileged := config.NeedsPrivileged() + var capAdd []string + if !privileged { + capAdd = []string{"BPF", "PERFMON", "SYS_PTRACE", "SYS_RESOURCE"} + } + startConfig := config.ContainerStartConfig{ Name: "collector", Image: config.Images().CollectorImage(), - Privileged: true, + Privileged: privileged, + CapAdd: capAdd, NetworkMode: "host", Mounts: c.mounts, Env: c.env, diff --git a/integration-tests/pkg/collector/collector_k8s.go b/integration-tests/pkg/collector/collector_k8s.go index 74c29a4e3c..b950ec6136 100644 --- a/integration-tests/pkg/collector/collector_k8s.go +++ b/integration-tests/pkg/collector/collector_k8s.go @@ -129,14 +129,27 @@ func (k *K8sCollectorManager) Launch() error { Labels: map[string]string{"app": "collector"}, } - privileged := true + needsPrivileged := config.NeedsPrivileged() + secCtx := &coreV1.SecurityContext{} + if needsPrivileged { + secCtx.Privileged = &needsPrivileged + } else { + noPrivEsc := false + notPrivileged := false + secCtx.Privileged = ¬Privileged + secCtx.AllowPrivilegeEscalation = &noPrivEsc + secCtx.Capabilities = &coreV1.Capabilities{ + Drop: []coreV1.Capability{"ALL"}, + Add: []coreV1.Capability{"BPF", "PERFMON", "SYS_PTRACE", "SYS_RESOURCE"}, + } + } container := coreV1.Container{ Name: "collector", Image: config.Images().CollectorImage(), Ports: []coreV1.ContainerPort{{ContainerPort: 8080}}, Env: k.env, VolumeMounts: k.volumeMounts, - SecurityContext: &coreV1.SecurityContext{Privileged: &privileged}, + SecurityContext: secCtx, } pod := &coreV1.Pod{ diff --git a/integration-tests/pkg/config/config.go b/integration-tests/pkg/config/config.go index 47febb7cd4..12c1ad4740 100644 --- a/integration-tests/pkg/config/config.go +++ b/integration-tests/pkg/config/config.go @@ -170,3 +170,26 @@ func BenchmarksInfo() *Benchmarks { func LogPath() string { return filepath.Join(".", "container-logs", VMInfo().Config, CollectionMethod()) } + +// NeedsPrivileged returns true for VMs where CAP_BPF and CAP_PERFMON are +// not functional as discrete capabilities: +// - RHCOS 4.12-4.19: RHEL 8 kernel (4.18.0) lacks discrete CAP_BPF +// - RHEL 8: same kernel limitation +// - RHEL-SAP: SAP kernel builds restrict BPF capability probing even on 5.14+ +// - s390x: RHEL 8 kernel +func NeedsPrivileged() bool { + vmConfig := VMInfo().Config + privilegedPlatforms := []string{ + "rhcos-412", "rhcos-413", "rhcos-414", "rhcos-415", + "rhcos-416", "rhcos-417", "rhcos-418", "rhcos-419", + "rhel_rhel-8", "rhel-8", + "rhel-sap", + "rhel-s390x", + } + for _, pattern := range privilegedPlatforms { + if strings.Contains(vmConfig, pattern) { + return true + } + } + return false +} diff --git a/integration-tests/pkg/config/container_config.go b/integration-tests/pkg/config/container_config.go index 992cded1c9..b404554380 100644 --- a/integration-tests/pkg/config/container_config.go +++ b/integration-tests/pkg/config/container_config.go @@ -4,6 +4,7 @@ type ContainerStartConfig struct { Name string Image string Privileged bool + CapAdd []string NetworkMode string Mounts map[string]string Env map[string]string diff --git a/integration-tests/pkg/executor/executor_cri.go b/integration-tests/pkg/executor/executor_cri.go index caf9a35278..fa555bface 100644 --- a/integration-tests/pkg/executor/executor_cri.go +++ b/integration-tests/pkg/executor/executor_cri.go @@ -226,18 +226,26 @@ func (c *criExecutor) StartContainer(config config.ContainerStartConfig) (string }) } + secCtx := &pb.LinuxContainerSecurityContext{ + Privileged: config.Privileged, + NamespaceOptions: &pb.NamespaceOption{ + Network: network, + }, + } + if len(config.CapAdd) > 0 { + secCtx.Capabilities = &pb.Capability{ + AddCapabilities: config.CapAdd, + DropCapabilities: []string{"ALL"}, + } + } + containerConfig := pb.ContainerConfig{ Metadata: &pb.ContainerMetadata{Name: config.Name}, Image: &pb.ImageSpec{Image: config.Image}, Envs: envs, Mounts: mounts, Linux: &pb.LinuxContainerConfig{ - SecurityContext: &pb.LinuxContainerSecurityContext{ - Privileged: config.Privileged, - NamespaceOptions: &pb.NamespaceOption{ - Network: network, - }, - }, + SecurityContext: secCtx, }, LogPath: config.Name, Labels: labels, diff --git a/integration-tests/pkg/executor/executor_docker_api.go b/integration-tests/pkg/executor/executor_docker_api.go index d713a7c440..3a39f272fe 100644 --- a/integration-tests/pkg/executor/executor_docker_api.go +++ b/integration-tests/pkg/executor/executor_docker_api.go @@ -150,6 +150,7 @@ func (d *dockerAPIExecutor) StartContainer(startConfig config.ContainerStartConf NetworkMode: container.NetworkMode(startConfig.NetworkMode), Privileged: startConfig.Privileged, Binds: binds, + CapAdd: startConfig.CapAdd, } resp, err := d.client.ContainerCreate(ctx, containerConfig, hostConfig, nil, nil, startConfig.Name) if err != nil {