Security concerns when running grafana agent as agent as root and inside host pid namespace

[megalucio]

Have some concerns regarding having to run agent as root and inside host pid namespace in production environments, as stated as requirement here. Is there any way we can work around this?

Would it be possible to narrow down this to some specific privileges and/or capabilities that will be needed in order to assign the minimum amount of permissions here.

Thanks

[korniltsev]

With this fix d58b751 You can now run agent NOT in root pid namespace.

If you can not run agent as privileged root user, you would likely need CAP_BPF and CAP_PERFMON and kernel >= 5.8 and also modify seccomp policies (probably to allow ptrace and access to /proc/${pid}/mem and /proc/${pid}/root ) .

In my opinion, this set of capabilities is no different from privileged root user so I can not recommend narrowing down prigileges.