How to run packetbeat as non-root in Kubernetes?

Hi,

I want to run packetbeat as non-root user because of security issue and I didn't find any solution how to do it.
I tried to use these securityContext settings and I received this error.

containers:
        - name: packetbeat-dynamic
          image: docker.elastic.co/beats/packetbeat-oss:8.3.1
          securityContext:
            capabilities:
              add:
                - NET_ADMIN
                - NET_RAW
                - NET_BIND_SERVICE
            privileged: false
            runAsUser: 1000
            runAsGroup: 1000
            runAsNonRoot: true
            allowPrivilegeEscalation: false
      securityContext:
        fsGroup: 1000

{"log.level":"error","@timestamp":"2022-07-28T11:47:13.831Z","log.origin":{"file.name":"instance/beat.go","file.line":1051},"message":"Exiting: sniffer loop failed: Error starting sniffer: any: You don't have permission to capture on that device (socket: Operation not permitted)","service.name":"packetbeat","ecs.version":"1.6.0"}

Exiting: sniffer loop failed: Error starting sniffer: any: You don't have permission to capture on that device (socket: Operation not permitted)

It works if I run it as root user like:

securityContext: 
  runAsUser: 0
  capabilities:
    add:
    - NET_ADMIN

It also works if I run it as a privileged user, but as I understood it's almost the same as running it as root user

         securityContext:
            capabilities:
              add:
                - NET_ADMIN
            privileged: true
            runAsUser: 1000
            runAsGroup: 1000
            runAsNonRoot: true
            allowPrivilegeEscalation: true

Is it possible to run it as non-root user?
Does anyone know how to do it? Any examples will be helpful :slight_smile:

Thanks in advance!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.