Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Problem with applying LSM policies in k8s cluster #3392

Open
anfedotoff opened this issue Feb 13, 2025 · 0 comments · May be fixed by #3404
Open

Problem with applying LSM policies in k8s cluster #3392

anfedotoff opened this issue Feb 13, 2025 · 0 comments · May be fixed by #3404
Labels
kind/bug Something isn't working

Comments

@anfedotoff
Copy link
Contributor

anfedotoff commented Feb 13, 2025
edited
Loading

What happened?

To verify if LSM BPF is enabled we need to check the contents of /sys/kernel/security/lsm

tetragon/pkg/bpf/detect.go

Line 234 in c713bf1

b, err := os.ReadFile("/sys/kernel/security/lsm")

This file is not mounted to the container so policy load is failing. Slack thread.

Tetragon Version

1.3.0

Kernel Version

5.15.0-130-generic

Kubernetes Version

v1.30.9

Bugtool

No response

Relevant log output



Anything else?


Hot Fix that worked:


helm upgrade tetragon cilium/tetragon -n kube-system --set=extraVolumes[0].name="security" --set extraVolumes[0].path="/sys/kernel/security" --set extraVolumes[0].type=Directory --set=extraHostPathMounts[0].mountPath="/sys/kernel/security" --set=extraHostPathMounts[0].name="security"



I see two options:


    

  1. We can add this mount to helm chart. (I prefer this)
    2. 

  2. We can add the fix above to documentation. If use want to use LSM BPF in k8s just add this directory to mountPath
    3. 


      		
    

      
  





        

            


            

              
            

        

      


      
    








      

    



      

  
            

    

      
    

    


      

          @anfedotoff
anfedotoff




          added
  the 

  kind/bug

  Something isn't working
 label


      Feb 13, 2025

    

  



  

  

    
  


  

      

    @anfedotoff
anfedotoff



    linked a pull request
    
      Feb 15, 2025
    

    that will
    close
    this issue





  


  

      
   Open

  







  













  
  

    

      

  





  




  
  

              

  
    Sign up for free
    to join this conversation on GitHub.
    Already have an account?
    Sign in to comment


  



  






  
                  




    

  


      
  

    Assignees
  



        

    No one assigned







      


  


  

    Labels
  



    

      

    kind/bug

  Something isn't working








      

  

    

        

    Projects
  


        




    None yet




  



      


  

    
  

    Milestone
  


      No milestone





    
      
          
  

    

      

        
          

            
    

    Development
  




              
  
Successfully merging a pull request may close this issue.





    


  
          
      helm: mount /sys/kernel/security/lsm for generic_lsm sensor

    
      anfedotoff/tetragon
    





        
      

    

  


      

    

  
      

  

    

      1 participant
    

    

        
          @anfedotoff