[release/v1.1] docs: add Linux capabilities config for pyroscope.java (…

…#1856) Co-authored-by: Clayton Cornell <[email protected]> Co-authored-by: Marc Sanmiquel <[email protected]>
grafana · Oct 9, 2024 · f2859a2 · f2859a2
1 parent fe7db4a
commit f2859a2
Showing 1 changed file with 24 additions and 0 deletions.
diff --git a/docs/sources/reference/components/pyroscope/pyroscope.java.md b/docs/sources/reference/components/pyroscope/pyroscope.java.md
@@ -37,6 +37,30 @@ When you use `pyroscope.java` to profile Java applications, you can configure th
 
 For more details, refer to [Restrictions/Limitations](https://github.com/async-profiler/async-profiler?tab=readme-ov-file#restrictionslimitations) in the async-profiler documentation.
 
+## Additional Configuration for Linux Capabilities
+
+If your Kubernetes environment has Linux capabilities enabled, configure the following in your Helm values to ensure `pyroscope.java` functions properly:
+
+```yaml
+alloy:
+  securityContext:
+    runAsUser: 0
+    runAsNonRoot: false
+    capabilities:
+      add:
+        - PERFMON
+        - SYS_PTRACE
+        - SYS_RESOURCE
+        - SYS_ADMIN
+```
+These capabilities enable {{< param "PRODUCT_NAME" >}} to access performance monitoring subsystems, trace processes, override resource limits, and perform necessary system administration tasks for profiling.
+
+{{< admonition type="note" >}}
+Adjust capabilities based on your specific security requirements and environment, following the principle of least privilege.
+The capability behavior depends on Container Runtime Interface (CRI) settings.
+For example, in Docker, capabilities that are not on the allowlist are dropped by default.
+{{< /admonition >}}
+
 ## Arguments
 
 The following arguments are supported: