Update agent manifests: document FARCASTER_FORCE_TCP, clarify API URL default, remove privileged init and disable privilege escalation (#43)

Author: poupas

compose/docker-compose.yml

@@ -12,7 +12,10 @@ services:
     #   Learn more at https://help.probely.com/en/articles/6503388-how-to-install-a-scanning-agent
     #
     #   FARCASTER_API_URL
-    #   Probely's API URL
+    #   Probely's API URL. If not set, the Agent will use the API URLs for all regions.
+    #
+    #   FARCASTER_FORCE_TCP
+    #   If set to true, the Agent will use TCP to connect to Probely.
     #
     #   HTTP_PROXY (optional)
     #   An advanced option that can be used to configure an HTTP proxy for the Agent to connect to Probely.
@@ -25,7 +28,8 @@ services:
     tmpfs:
     - /run
     cap_add:
-    - NET_ADMIN
+      # Required for kernel support. If you remove this, the Agent will fall back to a userspace TCP/IP stack.
+      - NET_ADMIN
     restart: unless-stopped
 
 volumes:

contrib/kubernetes/agent-depl.yml

@@ -13,18 +13,6 @@ spec:
       labels:
         app: farcaster-agent
     spec:
-      initContainers:
-      - name: init
-        image: busybox:stable
-        command:
-        - sh
-        - -c
-        - sysctl -w net.ipv4.ip_forward=1 && sysctl -w net.ipv4.conf.all.forwarding=1
-        securityContext:
-          privileged: true
-          capabilities:
-            add:
-            - NET_ADMIN
       containers:
       - name: agent
         image: probely/farcaster-onprem-agent:v3
@@ -35,16 +23,12 @@ spec:
             secretKeyRef:
               name: farcaster-secrets
               key: token
-        - name: DISABLE_FIREWALL
-          value: "0"
         resources:
           requests:
             cpu: "1"
             memory: "128Mi"
         securityContext:
-          capabilities:
-            add:
-            - SETUID
+            allowPrivilegeEscalation: false
         volumeMounts:
         - name: run-tmpfs
           mountPath: /run