Comments (4)
Thanks @fandujar I started playing around with mizu few mins back. I don't have permission on ALL resources on the cluster but I am limited to a specific namespace. I was wondering what permission would it need to run mizu ?
I see below error even when I specify the namespace using -n option
$ ./mizu tap "shopping-cart-*" -A -n ksudhir007
Tapping pods in all namespaces
warning: could not ensure mizu rbac resources exist serviceaccounts "mizu-service-account" is forbidden: User "ksudhir007" cannot get resource "serviceaccounts" in API group "" in the namespace "default"
Error creating mizu tapper daemonset: daemonsets.apps "mizu-tapper-daemon-set" is forbidden: User "ksudhir007" cannot patch resource "daemonsets" in API group "apps" in the namespace "default"
Removing mizu resources
Error removing DaemonSet mizu-tapper-daemon-set in namespace default: daemonsets.apps "mizu-tapper-daemon-set" is forbidden: User "ksudhir007" cannot list resource "daemonsets" in API group "apps" in the namespace "default" (daemonsets.apps "mizu-tapper-daemon-set" is forbidden: User "ksudhir007" cannot list resource "daemonsets" in API group "apps" in the namespace "default",daemonsets.apps "mizu-tapper-daemon-set" is forbidden: User "ksudhir007" cannot list resource "daemonsets" in API group "apps" in the namespace "default")
Happy to update the documentation once I find the answer.
from kubeshark.
Opened pull request #114
from kubeshark.
Thanks @fandujar I started playing around with mizu few mins back. I don't have permission on ALL resources on the cluster but I am limited to a specific namespace. I was wondering what permission would it need to run mizu ?
I see below error even when I specify the namespace using -n option
$ ./mizu tap "shopping-cart-*" -A -n ksudhir007 Tapping pods in all namespaces warning: could not ensure mizu rbac resources exist serviceaccounts "mizu-service-account" is forbidden: User "ksudhir007" cannot get resource "serviceaccounts" in API group "" in the namespace "default" Error creating mizu tapper daemonset: daemonsets.apps "mizu-tapper-daemon-set" is forbidden: User "ksudhir007" cannot patch resource "daemonsets" in API group "apps" in the namespace "default" Removing mizu resources Error removing DaemonSet mizu-tapper-daemon-set in namespace default: daemonsets.apps "mizu-tapper-daemon-set" is forbidden: User "ksudhir007" cannot list resource "daemonsets" in API group "apps" in the namespace "default" (daemonsets.apps "mizu-tapper-daemon-set" is forbidden: User "ksudhir007" cannot list resource "daemonsets" in API group "apps" in the namespace "default",daemonsets.apps "mizu-tapper-daemon-set" is forbidden: User "ksudhir007" cannot list resource "daemonsets" in API group "apps" in the namespace "default")
Happy to update the documentation once I find the answer.
The minimum permissions needed are (currently for the default
namespace, will be configurable later on):
- apiGroups:
- ""
- apps
resources:
- pods
- services
verbs:
- list
- get
- create
- delete
- apiGroups:
- ""
- apps
resources:
- daemonsets
verbs:
- list
- get
- create
- patch
- delete
You won't be able to run mizu at all without these resources.
For traffic ip to k8s service name resolving to work you'll need these optional permissions:
- apiGroups:
- ""
- apps
- "rbac.authorization.k8s.io"
resources:
- clusterroles
- clusterrolebindings
- serviceaccounts
verbs:
- get
- create
- delete
This will allow mizu to create the necessary rbac resources that give mizu permissions to watch the cluster's pods, services and endpoints in order to resolve traffic ips.
from kubeshark.
Thanks @RamiBerm - this issue can be closed - both pull requests are merged.
from kubeshark.
Related Issues (20)
- Couldn't initialize the tracer HOT 10
- Improve support for homebrew HOT 8
- Add Websocket support
- Detect socket creation errors using eBPF
- Kind support( pf-ring, ebpf, serviceMesh) HOT 8
- Specific PCAP TTL for Errors HOT 1
- Kubeshark with Bottlerocket? HOT 1
- kubeshark deployment DOSes `kube-apiserver` if k8s audit events enabled HOT 10
- Client OS: `windows 10`, chrome: `121.0.6167.185` failing HOT 1
- New Helper named Uniqe HOT 1
- Using kubeshark CLI with multiple kubeconfig files
- We can't verify pre-built binaries for windows/amd64 with checksum files HOT 1
- WebSockets in an IPv6 primary cluster fail HOT 2
- no push access for the kubeshark fork HOT 1
- Windows 11 Curl install does not work HOT 1
- Improve/Complete AMQP support
- Resolved K8s component name is inaccurate
- Does ICMP Traffic Capture is not possible?
- Upgrade fails HOT 1
- eBPF tracer Crashes for Kernel versions older than 5.5 HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kubeshark.