diff --git a/config/manager/deployment/ipam.yaml b/config/manager/deployment/ipam.yaml index 489ecf8..44d8727 100644 --- a/config/manager/deployment/ipam.yaml +++ b/config/manager/deployment/ipam.yaml @@ -111,9 +111,9 @@ spec: drop: - all add: - - DAC_OVERRIDE # required by debug tools netstat, ss - - NET_RAW # required by debug tool ping - - SYS_PTRACE # required by debug tools netstat, ss to list process names/ids + - DAC_OVERRIDE # required by debug tools (netstat, ss) + - NET_RAW # required by debug tool (ping) + - SYS_PTRACE # required by debug tools (netstat, ss to list process names/ids) dnsPolicy: ClusterFirst restartPolicy: Always schedulerName: default-scheduler diff --git a/config/manager/deployment/lb-fe.yaml b/config/manager/deployment/lb-fe.yaml index e876451..cba0939 100644 --- a/config/manager/deployment/lb-fe.yaml +++ b/config/manager/deployment/lb-fe.yaml @@ -124,11 +124,11 @@ spec: - all add: - NET_ADMIN # required by load-balancer and nfqlb - - DAC_OVERRIDE # required by load-balancer to use nsm-socket and by debug tools netstat, ss - IPC_LOCK # required by nfqlb because of shared-mem - IPC_OWNER # required by nfqlb because of shared-mem - - NET_RAW # required by debug tools tcpdump, ping - - SYS_PTRACE # required by debug tools netstat, ss to list process names/ids + - DAC_OVERRIDE # required by debug tools (netstat, ss) + - NET_RAW # required by debug tools (tcpdump, ping) + - SYS_PTRACE # required by debug tools (netstat, ss to list process names/ids) terminationMessagePath: /dev/termination-log terminationMessagePolicy: File - name: nsc @@ -168,9 +168,6 @@ spec: capabilities: drop: - all - add: - - DAC_OVERRIDE - - NET_RAW terminationMessagePath: /dev/termination-log terminationMessagePolicy: File - name: fe @@ -245,9 +242,9 @@ spec: add: - NET_ADMIN # required by frontend and bird - NET_BIND_SERVICE # required by bird to support binding to classic BGP port number 173 - - DAC_OVERRIDE # required by debug tools netstat, ss - - NET_RAW # required by debug tools tcpdump, ping - - SYS_PTRACE # required by debug tools netstat, ss to list process names/ids + - DAC_OVERRIDE # required by debug tools (netstat, ss) + - NET_RAW # required by debug tools (tcpdump, ping) + - SYS_PTRACE # required by debug tools (netstat, ss to list process names/ids) volumeMounts: - name: spire-agent-socket mountPath: /run/spire/sockets diff --git a/config/manager/deployment/nsp.yaml b/config/manager/deployment/nsp.yaml index 2e75b0f..8914383 100644 --- a/config/manager/deployment/nsp.yaml +++ b/config/manager/deployment/nsp.yaml @@ -97,9 +97,9 @@ spec: drop: - all add: - - DAC_OVERRIDE # required by debug tools netstat, ss - - NET_RAW # required by debug tool ping - - SYS_PTRACE # required by debug tools netstat, ss to list process names/ids + - DAC_OVERRIDE # required by debug tools (netstat, ss) + - NET_RAW # required by debug tool (ping) + - SYS_PTRACE # required by debug tools (netstat, ss to list process names/ids) dnsPolicy: ClusterFirst restartPolicy: Always schedulerName: default-scheduler diff --git a/config/manager/deployment/proxy.yaml b/config/manager/deployment/proxy.yaml index 3d215f3..2e75746 100644 --- a/config/manager/deployment/proxy.yaml +++ b/config/manager/deployment/proxy.yaml @@ -122,9 +122,9 @@ spec: - all add: - NET_ADMIN # required by proxy - - DAC_OVERRIDE # required by proxy to use nsm-socket and by debug tools netstat, ss - - NET_RAW # required by debug tools tcpdump, ping - - SYS_PTRACE # required by debug tools netstat, ss to list process names/ids + - DAC_OVERRIDE # required by debug tools (netstat, ss) + - NET_RAW # required by debug tools (tcpdump, ping) + - SYS_PTRACE # required by debug tools (netstat, ss to list process names/ids) securityContext: fsGroup: 2000 fsGroupChangePolicy: "OnRootMismatch"