Prisma Cloud Compute: ECS Defender "Error en un componente de Defender" cuando se implementa con privilegios falsos

Prisma Cloud Compute: ECS Defender "Error en un componente de Defender" cuando se implementa con privilegios falsos

937
Created On 01/07/25 16:36 PM - Last Modified 02/10/26 21:22 PM


Symptom


Al implementar el ECS Defender DaemonSet con "privileged": false, los usuarios pueden ver "Error en un componente Defender":

Y errores como el siguiente:

ERRO 2025-01-07T16:18:48.588 defender.go:269 Failed to fetch cluster: readlink /proc/1/root: permission denied
ERRO 2025-01-07T16:18:48.593 defender.go:283 Failed to find OS distribution info: failed to read release data file open /proc/1/root/etc/os-release: permission denied
ERRO 2025-01-07T16:18:48.636 defender.go:508 Failed to get host security options: could not open /sys/module/apparmor/parameters/enabled: readlink /proc/1/root: permission denied
ERRO 2025-01-07T16:18:48.636 defender.go:570 Failed to check for prevent compatibility failed to find host config value of CONFIG_FANOTIFY_ACCESS_PERMISSIONS: exit status 1
ERRO 2025-01-07T16:18:48.637 defender.go:825 Failed to create firewall manager: open /proc/1/root/sys/fs/cgroup/memory/ecs/db7be44845fb461b937e0c62eb1d3fbb/c4c17782ac01d5d7e78ee2f76f6346c26602b30837e859130d4bfbb621e30d94/memory.limit_in_bytes: permission denied
ERRO 2025-01-07T16:18:49.671 defender.go:1092 Failed to enable process monitoring. failed to find mnt namespace for current process: readlink /proc/1/ns/pid: permission denied
ERRO 2025-01-07T16:18:49.674 defender.go:1158 Failed to initialize networking: failed to initialize host network data readlink /proc/1/ns/net: permission denied
ERRO 2025-01-07T16:18:49.675 defender.go:1186 Failed to init filesystem monitor readlink /proc/1/ns/pid: permission denied

Environment

Cause


Estos errores ocurren cuando privileged se establece en "false" en ecs-task.json:

      "privileged": false,

Resolution


Establezca el privilegio en "verdadero" y reconfigure el servicio para utilizar la nueva revisión de definición de tarea:

 "privileged": true,

Additional Information


Una solución alternativa es agregar las siguientes capacidades/líneas a la definición de la tarea:

            "linuxParameters": {
                "capabilities": {
                    "add": [
                        "NET_ADMIN",
                        "NET_RAW",
                        "SYS_ADMIN",
                        "SYS_PTRACE",
                        "SYS_CHROOT",
                        "MKNOD",
                        "SETFCAP",
                        "IPC_LOCK"
                    ],
                    "drop": []
                }
            },
            "privileged": false,
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000PR14CAG&lang=es&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language