Kubernetes Security with Tetragon: Lab to Detect Container Escapes

Introduction

In modern Kubernetes environments, gaining visibility into system behavior is critical for security. Tetragon, an open-source tool by the Cilium team, uses eBPF (a Linux kernel technology) to provide real-time observability and runtime enforcement for security events. Unlike traditional tools, Tetragon operates at the kernel level, offering deeper insights with minimal performance overhead.

What Makes Tetragon Unique?

• eBPF-Powered: Directly hooks into the Linux kernel for detailed event monitoring.
• No Dependency on Cilium: Can work independently of the Cilium networking stack.
• Real-Time Security Insights: Detects and monitors system calls, process events, and network activity in real time.
• Actionable Outputs: Converts raw events into meaningful security signals.

Scenarios Covered in This Workshop

• Detect Suspicious Process

Lab: Run Time Observability using eBPF-based Tetragon

Open New Terminal (Terminal-1)

Deploying Tetragon

• Add the Cilium Helm repository.

  helm repo add cilium https://helm.cilium.io
  helm repo update
  

• Install Tetragon using Helm.

  helm install tetragon ${EXTRA_HELM_FLAGS[@]} cilium/tetragon -n kube-system
  

• Check the rollout status of the Tetragon DaemonSet.

  kubectl rollout status -n kube-system ds/tetragon -w
  

Deploying Demo Application

• Deploy the Cilium demo application.

  kubectl create -f https://raw.githubusercontent.com/cilium/cilium/v1.15.3/examples/minikube/http-sw-app.yaml
  

• Verify all pods are running.

  kubectl get pods
  

• Example output.

  NAME                         READY   STATUS    RESTARTS   AGE
  deathstar-6c94dcc57b-7pr8c   1/1     Running   0          10s
  deathstar-6c94dcc57b-px2vw   1/1     Running   0          10s
  tiefighter                   1/1     Running   0          10s
  xwing                        1/1     Running   0          10s
  

Execution Monitoring

Observing Execution Events

• Observe execution events in Tetragon.

  kubectl exec -ti -n kube-system ds/tetragon -c tetragon -- tetra getevents -o compact --pods xwing
  

Open New Terminal (Terminal-2) For Running Below Command

• Trigger an execution event.

  kubectl exec -ti xwing -- bash -c 'curl https://ebpf.io/applications/#tetragon'
  

  Example output:

  🚀 process default/xwing /bin/bash -c "curl https://ebpf.io/applications/#tetragon"
  🚀 process default/xwing /usr/bin/curl https://ebpf.io/applications/#tetragon
  💥 exit    default/xwing /usr/bin/curl https://ebpf.io/applications/#tetragon 60
  

Uninstall and Cleanup

• Uninstall Tetragon using Helm.

  helm uninstall tetragon -n kube-system
  

• Delete the demo application.

  kubectl delete -f https://raw.githubusercontent.com/cilium/cilium/v1.15.3/examples/minikube/http-sw-app.yaml
  

• Remove the Helm repository if not needed.

  helm repo remove cilium
  

• Ensure all Tetragon resources are removed (optional).

  kubectl delete ds tetragon -n kube-system
  

Credits

• https://tetragon.io/
• https://github.com/Man-Sinh-Lee/learning-ebpf-and-cilium