Reading Notes: “Tetragon, an eBPF-based Kubernetes security management tool”

Original link: https://www.hwchiu.com/read-notes-52.html

Title: “Tetragon, an eBPF-based Kubernetes security management tool”
Category: others
Link: https://isovalent.com/blog/post/2022-05-16-tetragon

Cillium’s development team, isovalent, recently announced their internal security-related project, Teragon (the cute bee warrior).

The bottom layer of Teragon is based on eBPF technology, the purpose of which is to enable your Kubernetes to gain super powerful capabilities in information security, including

  1. The detailed visualization function allows you to understand the occurrence process of each resource in the system at a glance
  2. Dynamic enhancement allows you to describe relevant specifications through various formats such as Kubernetes CRD, OPA, Json, etc., and then dynamically and seamlessly integrate into your Kubernetes cluster

Before discussing Teragon, we must first understand what related solutions are currently known, and what are the advantages and disadvantages of these solutions, including

  1. App Instrumentation
  2. LD_PRELOAD
  3. ptrace
  4. seccomp
  5. SELinux/LSM
  6. Kernel Module

The above six methods have their own characteristics, which are briefly described here.

App Instrumentation
O High efficiency, you can see very detailed information
X code needs to be modified, not transparent enough
X is purely visual and cannot be embedded in information security rules to protect applications
X application mainly, can not understand the situation of the whole system

LD_PRELOAD (Library for dynamic switching load)
O high efficiency
O The application does not need to be modified
X is useless if it is Static Llinking app
X is hardly observable

ptrace (through the function provided by the kernel to view the syscall used)
O Transparent, the application does not need to be modified
X has a high performance burden
X applications have a way to detect that they are currently being monitored by ptrace
The overall scope of X can only be used for syscall (system call)

seccomp (syscall that can filter application calls)
O efficient, the application does not need to be modified
X rules can only block syscalls
X doesn’t have a good visualization

SELinux/LSM (Kernel built-in security framework, can control access)
O efficient, the application does not need to be modified
O can prevent TOCTTOU attack
X has limited integration for Contaienr/Kubernetes
X is not easy to expand
X to be set for the attack type

Kernel Module
O efficient, the application does not need to be modified
O can extend the function without modifying the Kernel
X Not every environment allows users to load the kenrel Module
Problems with X Module will blow up your Kernel
X cannot be upgraded seamlessly, which means that you must uninstall the kernel module and then reinstall it during the process of upgrading the function.

Some of the six solutions listed above can only view related processes, and some can only set rules to protect, but there is no tool that can handle them comprehensively. Tetragon based on eBPF implementation is a new solution that can provide two functions. Program.

First of all, in terms of information security protection, Tetragon adopts a lower-level concept. Instead of discussing specific CVE operations, it defends from several common attack methods.
If any application has the following unexpected behavior, you can directly remove the process

  1. Using capabilities that shouldn’t be used
  2. Using a linux namespace that should not be used
  3. Using a binary that should not be used
  4. Seeing a Pid that shouldn’t be there

These rules can be described by Kubernetes CRD. When these rules are sent to Kubernetes, the relevant Controller will convert the rules to eBPF to process them. In addition, because of the architecture of eBPF and kprobe, Tetragon can see a lot of kernel resources access and operations, such as

  1. syscall (system call)
  2. Virtual FS
  3. TCP/IP
  4. namespace
  5. Storage
  6. Network

Tetragon collects the data of the different information listed above and performs secondary processing, and displays various information in the system through a beautiful web page, which can provide information including

  1. Which Pods always access /etc/passwd, and how to access /etc/passwd
  2. The external network traffic information in a specific Pod can be seen from the content of the packet to the command to access it.

There are more and more applications of eBPF, and it seems that isovalent is currently the leader in the Kubernetes ecosystem. Although it is uncertain whether it will be widely adopted in the future, at least in this regard, I have not seen other solutions based on eBPF so actively. If you have spare time to develop, take some time to learn the concept of eBPF can strengthen your speed and understanding of this type of article

personal information

I currently have Kubernetes-related courses on the Hiskio platform. Interested people are welcome to refer and share, which contains my various ideas about Kubernetes from the bottom to the actual combat.

For details, please refer to the online course details: https://course.hwchiu.com/

In addition, please click like to join my personal fan page, which will regularly share various articles, some are translated articles, and some are original articles, mainly focusing on the CNCF field
https://www.facebook.com/technologynoteniu

If you use Telegram, you can also subscribe to the following channels, where I will regularly push notifications of various articles
https://t.me/technologynote

Your donation will give me the motivation to grow my article

This article is reprinted from: https://www.hwchiu.com/read-notes-52.html
This site is for inclusion only, and the copyright belongs to the original author.

Leave a Comment