/docs/getting-started/ Recent content in Getting Started on Tetragon - eBPF-based Security Observability and Runtime Enforcement Hugo en /docs/getting-started/install-k8s/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/getting-started/install-k8s/ Create a cluster If you don’t have a Kubernetes Cluster yet, you can use the instructions below to create a Kubernetes cluster locally or using a managed Kubernetes service: GKE AKS EKS Kind The following commands create a single node Kubernetes cluster using Google Kubernetes Engine. See Installing Google Cloud SDK for instructions on how to install gcloud and prepare your account. export NAME="$(whoami)-$RANDOM" export ZONE="us-west2-a" gcloud container clusters create "${NAME}" --zone ${ZONE} --num-nodes=1 gcloud container clusters get-credentials "${NAME}" --zone ${ZONE} The following commands create a single node Kubernetes cluster using Azure Kubernetes Service. /docs/getting-started/install-docker/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/getting-started/install-docker/ Note This guide has been tested on Ubuntu 22.04 and 22.10 with respectively kernel 5.15.0 and 5.19.0 on amd64 and arm64 but any recent distribution shipping with a relatively recent kernel should work. See the FAQ for further details on the recommended kernel versions. Note that you cannot run Tetragon using Docker Desktop on macOS because of a limitation of the Docker Desktop Linux virtual machine. Learn more about this issue and how to run Tetragon on a Mac computer in this section of the FAQ page. /docs/getting-started/execution/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/getting-started/execution/ At the core of Tetragon is the tracking of all executions in a Kubernetes cluster, virtual machines, and bare metal systems. This creates the foundation that allows Tetragon to attribute all system behavior back to a specific binary and its associated metadata (container, Pod, Node, and cluster). Observe Tetragon execution events Tetragon exposes the execution events over JSON logs and GRPC stream. The user can then observe all executions in the system. /docs/getting-started/file-events/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/getting-started/file-events/ Tracing policies can be added to Tetragon through YAML configuration files that extend Tetragon’s base execution tracing capabilities. These policies perform filtering in kernel to ensure only interesting events are published to userspace from the BPF programs running in kernel. This ensures overhead remains low even on busy systems. The instructions below extend the example from Execution Monitoring with a policy to monitor sensitive files in Linux. The policy used is file_monitoring. /docs/getting-started/network/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/getting-started/network/ In addition to file access monitoring, Tetragon’s tracing policies also support monitoring network access. In this section, you will see how to monitor network traffic to “external” destinations (destinations that are outside the Kubernetes cluster or external to the Docker host where Tetragon is running). These instructions assume you already have Tetragon running in either Kubernetes or Docker, and that you have deployed the Cilium demo application. Monitoring Kubernetes network access First, you’ll need to find the pod CIDR and service CIDR in use. /docs/getting-started/enforcement/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/getting-started/enforcement/ Tetragon’s tracing policies support monitoring kernel functions to report events, such as file access events or network connection events, as well as enforcing restrictions on those same kernel functions. Using in-kernel filtering in Tetragon provides a key performance improvement by limiting events from kernel to user space. In-kernel filtering also enables Tetragon to enforce policy restrictions at the kernel level. For example, by issuing a SIGKILL to a process when a policy violation is detected, the process will not continue to run.