From b87a4ff644ba9e3af536cff3ba8d982b046dbfc0 Mon Sep 17 00:00:00 2001 From: anjmao Date: Thu, 4 Jan 2024 13:38:44 +0100 Subject: [PATCH 1/2] Use privileged by default --- charts/egressd/values.yaml | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/charts/egressd/values.yaml b/charts/egressd/values.yaml index c3eb926..3a396f2 100644 --- a/charts/egressd/values.yaml +++ b/charts/egressd/values.yaml @@ -56,17 +56,18 @@ collector: # fsGroup: 2000 containerSecurityContext: - privileged: false + privileged: true readOnlyRootFilesystem: true - capabilities: - drop: - - all - add: - - NET_ADMIN # Needed for reading conntrack. - - SYS_PTRACE # Needed for reading conntrack. - - SYS_ADMIN # Needed for reading conntrack and ebpf. - - BPF # Needed for reading ebpf. - - PERFMON # Needed for reading ebpf. + # If privileged is not allowed these capabilities can be set instead. +# capabilities: +# drop: +# - all +# add: +# - NET_ADMIN # Needed for reading conntrack. +# - SYS_PTRACE # Needed for reading conntrack. +# - SYS_ADMIN # Needed for reading conntrack and ebpf. +# - BPF # Needed for reading ebpf. +# - PERFMON # Needed for reading ebpf. resources: requests: From d84067df0c1037c5faa864b55fcbccc76a07128d Mon Sep 17 00:00:00 2001 From: anjmao Date: Thu, 4 Jan 2024 14:16:31 +0100 Subject: [PATCH 2/2] Do not run on fargate nodes --- charts/egressd/values.yaml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/charts/egressd/values.yaml b/charts/egressd/values.yaml index 3a396f2..e2c080e 100644 --- a/charts/egressd/values.yaml +++ b/charts/egressd/values.yaml @@ -81,7 +81,15 @@ collector: tolerations: - operator: Exists - affinity: { } + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: eks.amazonaws.com/compute-type + operator: NotIn + values: + - fargate dnsPolicy: ClusterFirstWithHostNet