Running Tetragon: An eBPF-based security observability platform on Kubernetes

Tetragon is the now-open source tool based on eBPF for security observability and enforcement in Kubernetes environments. As eBPF based tools get more popular in the realm of cloud-native applications and find use cases for networking, monitoring and security tools, this article and associated tutorial take a close look at why and how to run Tetragon on Oracle Cloud Infrastructure (OCI).

What is eBPF and why is it popular?

Security applications often have requirements and scenarios that are broad in nature, like being able to watch for all programs that are opening sensitive files and deleting the programs exhibiting behaviors that we aren’t expecting. The broadest range that we get is down to the operating system (OS) kernel itself because little activity in the OS escapes the kernel. Implementing these security protocols broadly across a system often leads to performance degradation to unacceptable levels because these tools typically run outside the kernel's privileged run context, leading most users to settle for monitoring specific applications or smaller parts of a system. Building this functionality directly into the kernel or as kernel modules that run within the kernel space often lets a program have a low overhead, but traditionally this status comes at the cost of security and maintenance of these kernel modules.

eBPF fundamentally changes this equation by providing a method of introducing new functionality that can run in a sand-boxed and privileged context without changing kernel source code or loading a kernel module. It essentially functions by creating a paradigm like a programming language virtual machine (VM) like Java. Like how modern Java programs are compiled into byte-code that the Java virtual machine (JVM) compiles to native code using a just-in-time (JIT) compiler to get native performance.

Similarly, eBPF programs have a byte-code representation. eBPF is tied to the Linux kernel. Think of it as a VM inside the kernel. The in-kernel JIT compiler compiles the eBPF byte-code into native code that can run in the kernel space.

eBPF uses an event-based model to load programs and eBPF programs are written to hook into network events, systems calls, and more. When an event that an eBPF program hooks into have been called, the eBPF program is loaded into the kernel after verification and JIT compilation. The verification step ensures that the program is safe to run, has the right privileges, and can run to completion, while the JIT compilation ensures native performance. In many cases, eBPF programs are written in higher-level languages and compiled into the byte-code representation. These representations are then loaded into a running kernel after JIT compilation based on the events that the programs are hooked into.

Tetragon: eBPF-based security observability and enforcement

Tetragon is a cloud native eBPF based tool that performs security observability and enforcement and is a component of the cilium project. Using eBPF, Tetragon can filter and observe events and apply policies in real time without sending events to an agent running outside the kernel. Tetragon can address numerous security and observability use cases by filtering for events like a workload opening a network connection, accessing a file, or even starting a process inside a container.

For example, a shell process starting inside an application container can be considered a security event. Someone could be trying to troubleshoot an issue, or it could be some malicious activity. Either way, it should trigger a security check to rule out an attack on the system. The same can be said about network connections being opened or files being read. Tetragon can trace and filter these activities while introducing little to no overhead, usually at the earliest stage that these events can be detected in software.

Tetragon is ideally suited for all Kubernetes workloads, and it runs as a daemonset in each node on the cluster. Tetragon can then pull metadata from the Kubernetes API server and correlate that metadata with the events observed within the kernel of each node. Tetragon makes it easy to set up real-time filters for these activities and more using TracingPolicies. TracingPolicy is a custom resource created by Tetragon that lets admins and DevSecOps create and deploy filters for kernel events as Kubernetes resources. A TracingPolicy can match system calls, process attributes, and arguments and trigger an action on matches.

How to run Tetragon on OKE

You can deploy Tetragon to Kubernetes clusters on Oracle Container Engine for Kubernetes (OKE) using the helm chart published by the Tetragon project. When installed, the TracingPolicy custom resource definition (CRD) is created, and Tetragon runs on the cluster nodes as a daemonset.

OKE uses Oracle Linux and Tetragon relies on having the BPF type format (BTF) support in the kernel. Recent Oracle Linux kernels include BTF support out of the box. If in doubt, use the latest Oracle Linux 8 for your OKE nodes. The best way to check if you have BTF support on your nodes is to SSH on to the node and run the command, ls /sys/kernel/btf. You can see the kernel (vmlinux) and other modules listed there.

When you have ensured that you’re running on a recent version of the kernel on your nodes, you can get started with Tetragon with a hands-on tutorial that walks you through installation, deploying sample workloads, and setting up your own TracingPolicies.

Next steps

Tetragon adds a set of highly performant security and enforcement capabilities to your Kubernetes clusters on OKE. Head over to the hands-on tutorial to set up and try Tetragon on your OKE cluster. 

For more information, see the Tetragon documentation. To try this new feature and all the enterprise-grade capabilities that Oracle Cloud Infrastructure offers, create your Always Free account today with a US$300 free credit.