docs(runbook): eBPF profiling — seccomp gap + node-isolation correction#486
Conversation
…tion claim Two additions to §6 of the gas-vs-execution-time runbook, from the CON-368 follow-on profiling review: - Step 3: narrowing from --profile=sysadmin to CAP_BPF+CAP_PERFMON is not sufficient alone — RuntimeDefault seccomp blocks bpf()/perf_event_open() behind CAP_SYS_ADMIN, so the narrowed pod needs seccompProfile: Unconfined (or a curated allowlist) or it silently EPERMs. This bit is easy to misread as a missing-capability bug. - Step 2: the sei-node/sei-archive taint is not single-tenancy (repels non-Sei pods only; pod-identity DaemonSet + other Sei pods co-reside and are kernel-readable). Name the real primitive (sei.io/dedicated-node annotation) and the two accepted residuals (IMDS/node-IAM-role, co-resident DaemonSets), pointing at PLT-801 for the closed version. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
PR SummaryLow Risk Overview Step 2 replaces the idea that Step 3 documents prerequisites when dropping No runtime or procedure changes—documentation only. Reviewed by Cursor Bugbot for commit a46b546. Bugbot is set up for automated code reviews on this repo. Configure here. |
…se, IMDS residual Three independent xreview lenses (systems-engineer, security-specialist, prose-steward) dissented on the first draft. Fixes: - CAP_SYS_PTRACE: a uprobe on non-root seid via /proc/<pid>/root is ptrace_may_access-gated, so the two-cap grant is NOT sufficient for the headline probe — CAP_SYS_PTRACE (or matching uid) is also needed. Kernel probes are fine on the two caps. - seccomp: --profile=sysadmin unconfines seccomp as a side-effect of privileged:true (not an explicit field); and on harbor (no PSS, Bottlerocket seccomp-default off) the debug container likely runs Unconfined already, so the RuntimeDefault EPERM may never appear. Split-caps is no stricter than sysadmin on the seccomp axis. - IMDS residual: hop-limit-1 does NOT close the node-role path in a PSS-less eng namespace (hostNetwork bypass; CAP_PERFMON reads creds from kernel memory independent of IMDS). Node role is reachable regardless — escalate, don't self-mitigate. Residuals reframed as surface-for-sign-off, not self-accept. - Prose: bolded the load-bearing imperatives; 'namespace' not 'node pool'. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…R2 prose polish) Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Two additions to §6 of the gas-vs-execution-time benchmarking runbook, surfaced by the CON-368 follow-on profiling review with security-specialist + platform-engineer. Both live in the gap between the runbook's (correct) advice to minimize the capability grant and what actually makes the minimized grant work.
Step 3 — seccomp (the one that bites). The runbook already says to prefer
CAP_BPF+CAP_PERFMONover--profile=sysadmin. But narrowing the caps isn't sufficient: the container'sRuntimeDefaultseccomp profile blocksbpf()andperf_event_open()behindCAP_SYS_ADMIN, so a pod with only the two caps and default seccompEPERMs on exactly the syscalls bpftrace/BCC need.--profile=sysadminworks because it also setsseccompProfile: Unconfined; the moment you drop to the two caps you must set that (or a curated allowlist) explicitly. Added so the next person doesn't read the silent failure as a missing-capability bug.Step 2 — node isolation. The prior text claimed the
sei-node/sei-archivepool is 'already tainted/dedicated'. That taint only repels non-Sei pods — other Sei-managed pods and the node's own DaemonSets (eks-pod-identity-agent,cilium-agent) still co-reside, and the pod-identity agent's cached AWS creds are kernel-readable from aCAP_PERFMONpod. Corrected to name the real single-tenant primitive (thesei.io/dedicated-nodeannotation → hostname anti-affinity) and the two accepted residuals (IMDS→node-IAM-role, co-resident DaemonSets), pointing at PLT-801 for the closed version.No procedure changed — this sharpens the privileged-attach gate so a scoped-down attach actually runs. Docs-only.
🤖 Generated with Claude Code