Prisma Cloud Compute: ECS Defender "Defender 구성 요소에서 오류 발생" 권한이 있는 false로 배포된 경우

937

Created On 01/07/25 16:36 PM - Last Modified 02/10/26 21:22 PM

Symptom

"privileged": false로 ECS defender DaemonSet을 배포할 때 사용자는 "Defender 구성 요소에서 오류 발생"을 볼 수 있습니다.

아래와 같은 오류가 발생합니다.

ERRO 2025-01-07T16:18:48.588 defender.go:269 Failed to fetch cluster: readlink /proc/1/root: permission denied
ERRO 2025-01-07T16:18:48.593 defender.go:283 Failed to find OS distribution info: failed to read release data file open /proc/1/root/etc/os-release: permission denied
ERRO 2025-01-07T16:18:48.636 defender.go:508 Failed to get host security options: could not open /sys/module/apparmor/parameters/enabled: readlink /proc/1/root: permission denied
ERRO 2025-01-07T16:18:48.636 defender.go:570 Failed to check for prevent compatibility failed to find host config value of CONFIG_FANOTIFY_ACCESS_PERMISSIONS: exit status 1
ERRO 2025-01-07T16:18:48.637 defender.go:825 Failed to create firewall manager: open /proc/1/root/sys/fs/cgroup/memory/ecs/db7be44845fb461b937e0c62eb1d3fbb/c4c17782ac01d5d7e78ee2f76f6346c26602b30837e859130d4bfbb621e30d94/memory.limit_in_bytes: permission denied
ERRO 2025-01-07T16:18:49.671 defender.go:1092 Failed to enable process monitoring. failed to find mnt namespace for current process: readlink /proc/1/ns/pid: permission denied
ERRO 2025-01-07T16:18:49.674 defender.go:1158 Failed to initialize networking: failed to initialize host network data readlink /proc/1/ns/net: permission denied
ERRO 2025-01-07T16:18:49.675 defender.go:1186 Failed to init filesystem monitor readlink /proc/1/ns/pid: permission denied

Environment

Prisma Cloud Compute Saas 버전
Prisma Cloud Compute 자체 호스팅 버전
Amazon ECS의 Orchestrator Defenders

Cause

이러한 오류는 ecs-task.json에서 privileged가 "false"로 설정된 경우 발생합니다.

      "privileged": false,

Resolution

권한을 "true"로 설정하고 새 작업 정의 개정판을 사용하도록 서비스를 재구성합니다.

 "privileged": true,

Additional Information

또 다른 솔루션 작업 정의에 아래 기능/줄을 추가하는 것입니다.