3 posts tagged with "tetragon"

In the dynamic landscape of Kubernetes network security, it is necessary to be cautious. Tetragon is an eBPF-based Security Observability and Runtime Enforcement tool that integrates with Parseable, a lightweight, high-performance log analytics tool. This post walks you through how to extract and analyse network connections effectively in Parseable using Tetragon. We'll explore how to trigger an alert in the event of outbound connections occurring from the running pod.

After establishing our production environment, we expect that the application won’t need to download additional files. If the pod executes commands like curl or wget, Parseable will generate an alert message.

In our previous post Get started with eBPF log analytics in your Kubernetes cluster, we saw how to ingest Tetragon logs in Parsable and generate alerts when a sensitive file like /etc/passwd is accessed by an unauthorized pod. However, it is time-consuming and generally difficult to work with large volume of raw logs. Visualizing logs in a dashboard helps better identify patterns.

This post is a continuation of the previous post. In this post, we will see how to visualize the eBPF logs in Grafana.

Introduction​

Traditionally Linux kernel has been one of the best places to implement security and observability features, but also very difficult in practice, because you can't add new features to the kernel. eBPF changes this by securely enhancing the Kernel functionality at runtime. eBPF allows sandboxed programs to be executed in the Linux kernel without changing the kernel source code or requiring a reboot. It extends the Linux kernel at runtime.

This means, now you have the power of the Linux kernel at your fingertips. You can write programs that can be executed in the kernel, and you can do it without changing the kernel source code or requiring a reboot.

Logging is one of the key benefactors of this new technology. You can now enable kernel level log observability with eBPF - capture events like network access, file access and much more. This is a game changer for cloud native applications, as it allows you to get deep insights into your application, without having to change your application code.

In this post, we'll explore the integration of Tetragon with Parseable. We'll also examine a very specific use-case for auditing and alerting sensitive file access in Kubernetes.