Kubeshark's Security Context & RBAC
The Worker DaemonSet
Kubeshark’s Worker DaemonSet is a critical component designed to monitor network traffic within the Kubernetes cluster. To function effectively, it requires specific capabilities that go beyond the standard set. These capabilities are essential for enabling network sniffing and detailed traffic analysis. The security context for the Worker DaemonSet is defined as follows:
Capabilities
Below is the list of capabilities assigned to their respective features. If you disable certain features, their corresponding capabilities are not requested:
capabilities:
networkCapture:
- NET_RAW
- NET_ADMIN
serviceMeshCapture:
- SYS_ADMIN
- SYS_PTRACE
- DAC_OVERRIDE
- CHECKPOINT_RESTORE
kernelModule:
- SYS_MODULE
ebpfCapture:
- SYS_ADMIN
- SYS_PTRACE
- SYS_RESOURCE
- CHECKPOINT_RESTORE
This configuration can be changed via the values.yaml
.
Service Account
Kubeshark utilizes a dedicated Service Account named kubeshark-service-account
for all its components. This account is specifically configured to provide the necessary access permissions for Kubeshark’s operations within the Kubernetes environment, ensuring secure and efficient performance.
Cluster Role
The Cluster Role in Kubeshark is designed to grant broad permissions across the entire Kubernetes cluster. This role is crucial for Kubeshark to access and monitor various Kubernetes resources at a cluster-wide level. The Cluster Role Binding, detailed below, outlines these permissions:
rules:
- apiGroups:
- ""
- extensions
- apps
resources:
- pods
- services
- endpoints
- persistentvolumeclaims
verbs:
- list
- get
- watch
Namespace Specific Role
Within the specific namespace where Kubeshark is deployed, a Role Binding is used to grant targeted permissions for namespace-level resources. This ensures Kubeshark’s access to essential configurations and secrets within its operational namespace:
rules:
- apiGroups:
- "" # Core API group
- v1 # Version 1 of the core API group
resourceNames:
- kubeshark-secret # Specific secret for Kubeshark
- kubeshark-config-map # Specific config map for Kubeshark
resources:
- secrets # Access to secrets resource
- configmaps # Access to configmaps resource
verbs:
- get # Permission to get resource details
- watch # Permission to watch for changes in resources
- update # Permission to update resources
These permissions are integral for Kubeshark’s self-configuration and adaptive operation within the Kubernetes environment.