Tetragon：一款基于eBPF的运行时环境安全监控工具

关于Tetragon

Tetragon是一款基于eBPF的运行时环境安全监控工具，该工具可以帮助广大研究人员检测并应对安全重大事件，例如流程执行事件、系统调用活动、I/O活动（包括网络和文件访问等）。

在 Kubernetes 环境中使用时，Tetragon 具有 Kubernetes 感知能力，也就是说，它可以了解 Kubernetes 身份，例如命名空间、pod 等，从而可以根据各个工作负载配置安全事件检测。

工具概览

工具特征

1、基于eBPF的实时安全监控与执行；

2、灵活性强，支持多种安全监测和安全性用例；

3、内核感知，可访问Linux内核状态；

工具要求

Kubernetes

Docker

工具安装

Kubernetes快速安装

创建集群

以下命令使用Google Kubernetes Engine创建单节点 Kubernetes 集群：

export NAME="$(whoami)-$RANDOM"export ZONE="us-west2-a"gcloud container clusters create "${NAME}" --zone ${ZONE} --num-nodes=1gcloud container clusters get-credentials "${NAME}" --zone ${ZONE}

以下命令使用Azure Kubernetes 服务创建单节点 Kubernetes 群集：

export NAME="$(whoami)-$RANDOM"export AZURE_RESOURCE_GROUP="${NAME}-group"az group create --name "${AZURE_RESOURCE_GROUP}" -l westus2az aks create --resource-group "${AZURE_RESOURCE_GROUP}" --name "${NAME}"az aks get-credentials --resource-group "${AZURE_RESOURCE_GROUP}" --name "${NAME}"

部署Tetragon

helm repo add cilium https://helm.cilium.iohelm repo updatehelm install tetragon ${EXTRA_HELM_FLAGS[@]} cilium/tetragon -n kube-systemkubectl rollout status -n kube-system ds/tetragon -w

Docker本地安装

docker run -d --name tetragon --rm --pull always \--pid=host --cgroupns=host --privileged             \-v /sys/kernel/btf/vmlinux:/var/lib/tetragon/btf    \quay.io/cilium/tetragon:v1.3.0

工具配置

Kubernetes配置

kubectl edit cm -n kube-system tetragon-config# Change your configuration setting, save and exit# Restart Tetragon daemonsetkubectl rollout restart -n kube-system ds/tetragon

Docker配置

# Change configuration inside /etc/tetragon/ then restart container.# Example:#   1. As a privileged user, write to the file /etc/tetragon/tetragon.conf.d/export-file#      the path where to export events, example "/var/log/tetragon/tetragon.log"#   2. Bind mount host /etc/tetragon into container /etc/tetragon# Tetragon events will be exported to /var/log/tetragon/tetragon.logecho "/var/log/tetragon/tetragon.log" > /etc/tetragon/tetragon.conf.d/export-filedocker run --name tetragon --rm -d \--pid=host --cgroupns=host --privileged \-v /etc/tetragon:/etc/tetragon \-v /sys/kernel:/sys/kernel \-v /var/log/tetragon:/var/log/tetragon \quay.io/cilium/tetragon:v1.3.0 \/usr/bin/tetragon

工具使用

Kubernetes单节点

kubectl exec -ti -n kube-system ds/tetragon -c tetragon -- tetra getevents -o compact --pods xwing

Kubernetes多节点

POD=$(kubectl -n kube-system get pods -l 'app.kubernetes.io/name=tetragon' -o name --field-selector spec.nodeName=$(kubectl get pod xwing -o jsonpath='{.spec.nodeName}'))kubectl exec -ti -n kube-system $POD -c tetragon -- tetra getevents -o compact --pods xwing

Docker

docker exec tetragon tetra getevents -o compact

输出结果

{"process_exec": {"process": {"exec_id": "Z2tlLWpvaG4tNjMyLWRlZmF1bHQtcG9vbC03MDQxY2FjMC05czk1OjEzNTQ4Njc0MzIxMzczOjUyNjk5","pid": 52699,"uid": 0,"cwd": "/","binary": "/usr/bin/curl","arguments": "https://ebpf.io/applications/#tetragon","flags": "execve rootcwd","start_time": "2023-10-06T22:03:57.700327580Z","auid": 4294967295,"pod": {"namespace": "default","name": "xwing","container": {"id": "containerd://551e161c47d8ff0eb665438a7bcd5b4e3ef5a297282b40a92b7c77d6bd168eb3","name": "spaceship","image": {"id": "docker.io/tgraf/netperf@sha256:8e86f744bfea165fd4ce68caa05abc96500f40130b857773186401926af7e9e6","name": "docker.io/tgraf/netperf:latest"},"start_time": "2023-10-06T21:52:41Z","pid": 49},"pod_labels": {"app.kubernetes.io/name": "xwing","class": "xwing","org": "alliance"},"workload": "xwing"},"docker": "551e161c47d8ff0eb665438a7bcd5b4","parent_exec_id": "Z2tlLWpvaG4tNjMyLWRlZmF1bHQtcG9vbC03MDQxY2FjMC05czk1OjEzNTQ4NjcwODgzMjk5OjUyNjk5","tid": 52699},"parent": {"exec_id": "Z2tlLWpvaG4tNjMyLWRlZmF1bHQtcG9vbC03MDQxY2FjMC05czk1OjEzNTQ4NjcwODgzMjk5OjUyNjk5","pid": 52699,"uid": 0,"cwd": "/","binary": "/bin/bash","arguments": "-c \"curl https://ebpf.io/applications/#tetragon\"","flags": "execve rootcwd clone","start_time": "2023-10-06T22:03:57.696889812Z","auid": 4294967295,"pod": {"namespace": "default","name": "xwing","container": {"id": "containerd://551e161c47d8ff0eb665438a7bcd5b4e3ef5a297282b40a92b7c77d6bd168eb3","name": "spaceship","image": {"id": "docker.io/tgraf/netperf@sha256:8e86f744bfea165fd4ce68caa05abc96500f40130b857773186401926af7e9e6","name": "docker.io/tgraf/netperf:latest"},"start_time": "2023-10-06T21:52:41Z","pid": 49},"pod_labels": {"app.kubernetes.io/name": "xwing","class": "xwing","org": "alliance"},"workload": "xwing"},"docker": "551e161c47d8ff0eb665438a7bcd5b4","parent_exec_id": "Z2tlLWpvaG4tNjMyLWRlZmF1bHQtcG9vbC03MDQxY2FjMC05czk1OjEzNTQ4NjQ1MjQ1ODM5OjUyNjg5","tid": 52699}},"node_name": "gke-john-632-default-pool-7041cac0-9s95","time": "2023-10-06T22:03:57.700326678Z"}

许可证协议

本项目的开发与发布遵循Apache-2.0开源许可协议。

项目地址

Tetragon：【GitHub传送门】

参考资料

https://tetragon.io/