Potential Denial of Service via unrestricted CPU/memory and root user execution

[zyue110026]

We identified the usage of a combination of configuration parameters:

Undefined runAsUser  
Undefined runAsNonRoot  
Undefined readOnlyRootFilesystem  
[missing] resources.limits  

If parameters are undefined, Kubernetes will apply default values

This combination may result in resource exhaustion (CPU/memory) and privileged container execution, which can crash pods or destabilize the node (Denial of Service). Malicious or misbehaving containers can consume excessive resources or manipulate the filesystem, leading to unplanned outages or degraded performance.

We provide supporting evidence from https://madhuakula.com/kubernetes-goat/docs/scenarios/scenario-13/denial-of-service-memory-and-cpu-resources-in-kubernetes-cluster which demonstrates how missing resource constraints and running as root can be abused to perform DoS attacks on nodes.

Even though the feature defaults to enabled: false, users who enable it without configuring resources or securityContext risk node-level DoS and privileged container execution.

Expected Behavior:
Containers should be deployed with defined resource requests and limits to enforce fair CPU/memory usage.
The securityContext should not rely on defaults.

Location:

opentelemetry-helm-charts/charts/opentelemetry-ebpf/values.yaml

Lines 64 to 78 in ddda95b

	cloudCollector:
	enabled: false
	image:
	registry: ""
	tag: ""
	name: opentelemetry-ebpf-cloud-collector
	serviceAccount:
	create: true
	name: ""
	annotations: {}
	## eks.amazonaws.com/role-arn: "role-arn-name"
	tolerations: []
	affinity: {}

opentelemetry-helm-charts/charts/opentelemetry-ebpf/templates/cloud-collector-deployment.yaml

Line 105 in ddda95b

securityContext: {}

[TylerHelmuth]

Most of our charts dont set default resources but instead warn users if resources are not set.

I'm not sure what the permissions of the ebpf agent are, can it run as non-root?

[zyue110026]

Most of our charts dont set default resources but instead warn users if resources are not set.

I'm not sure what the permissions of the ebpf agent are, can it run as non-root?

Thanks! The PR is a suggestion to improve security by setting runAsUser, runAsNonRoot, etc. If root is required, we should minimize privileges by dropping capabilities, using readOnlyRootFilesystem: false, and running with the least necessary access.