Skip to content

Commit

Permalink
tetragon: docs, fixes from Mahe
Browse files Browse the repository at this point in the history 
Signed-off-by: John Fastabend <[email protected]>
  • Loading branch information
@jrfastab
jrfastab committed Oct 11, 2023
1 parent 7c231d4 commit 8881a1a
Show file tree
Hide file tree
Showing 4 changed files with 51 additions and 50 deletions.
43 changes: 21 additions & 22 deletions docs/content/en/docs/getting-started/install-tetragon/install-k8s.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,31 +8,36 @@ description: "Discover and experiment with Tetragon in a kubernetes environment"

If you don’t have a Kubernetes Cluster yet, you can use the instructions below to create a Kubernetes cluster locally or using a managed Kubernetes service:

TBD tabplane this...
{{< tabpane text=true >}}
{{% tab GKE %}}

#### Kind
The following commands create a Kubernetes cluster using [Google
Kubernetes Engine](https://cloud.google.com/kubernetes-engine). See
[Installing Google Cloud SDK](https://cloud.google.com/sdk/install) for
instructions on how to install `gcloud` and prepare your account.

Run the following command to create the Kubernetes cluster:
```
kind create cluster
```shell-session
export NAME="$(whoami)-$RANDOM"
gcloud container clusters create "${NAME}" --zone us-west2-a
gcloud container clusters get-credentials "${NAME}" --zone us-west2-a
```
{{% /tab %}}

#### GKE

Run the following command to create a GKE cluster:
{{% tab Kind %}}
Run the following command to create the Kubernetes cluster:

```shell
export NAME="$(whoami)-$RANDOM"
gcloud container clusters create "${NAME}" \
--zone us-west2-a \
--num-nodes 1
```shell-session
kind create cluster
```
{{% /tab %}}

{{< /tabpane >}}

### Deploy Tetragon

To install and deploy Tetragon, run the following commands:

```shell
```shell-session
helm repo add cilium https://helm.cilium.io
helm repo update
helm install tetragon cilium/tetragon -n kube-system
Expand All @@ -51,24 +56,18 @@ HTTP application, but any workload would work equally well.
To use our [demo
application](https://docs.cilium.io/en/v1.11/gettingstarted/http/#deploy-the-demo-application)

```shell
```shell-session
kubectl create -f https://raw.githubusercontent.com/cilium/cilium/v1.11/examples/minikube/http-sw-app.yaml
```

Before going forward, verify that all pods are up and running - it might take
several seconds for some pods until they satisfy all the dependencies:

```shell
```shell-session
kubectl get pods
```

The output should be similar to:
```
NAME READY STATUS RESTARTS AGE
deathstar-6c94dcc57b-7pr8c 1/1 Running 0 10s
deathstar-6c94dcc57b-px2vw 1/1 Running 0 10s
tiefighter 1/1 Running 0 10s
xwing 1/1 Running 0 10s
```


20 changes: 10 additions & 10 deletions docs/content/en/docs/getting-started/tetragon-execution.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,26 +16,26 @@ can then observe all executions in the system.

The following command can be used to observe exec events.

{{< tabpane >}}
{{< tab header="K8s" >}}
{{< tabpane lang=shell-session >}}
{{< tab Kubernetes >}}
kubectl exec -ti -n kube-system ds/tetragon -c tetragon -- tetra getevents -o compact --pods xwing
{{< /tab >}}
{{< tab header="Docker" >}}
{{< tab Docker >}}
docker exec tetragon-container tetra getevents -o compact
{{< /tab >}}
{{< tab header="Systemd" >}}
{{< tab Systemd >}}
{{< /tab >}}
{{< /tabpane >}}

This will print a compact form of the exec logs. For an example we do the following
with the demo application.

```
```shell-session
kubectl exec -ti xwing -- bash -c 'curl https://ebpf.io/applications/#tetragon
```
The CLI will print a compact form of the event to the terminal

```
```shell-session
🚀 process default/xwing /bin/bash -c "curl https://ebpf.io/applications/#tetragon"
🚀 process default/xwing /usr/bin/curl https://ebpf.io/applications/#tetragon
💥 exit default/xwing /usr/bin/curl https://ebpf.io/applications/#tetragon 60
Expand All @@ -46,14 +46,14 @@ The compact exec event contains the event type, the pod name, the binary and the

For the complete exec event in JSON format remove the compact option.

{{< tabpane >}}
{{< tab header="K8s" >}}
{{< tabpane lang=shel-session >}}
{{< tab Kubernetes >}}
kubectl exec -ti -n kube-system ds/tetragon -c tetragon -- tetra getevents
{{< /tab >}}
{{< tab header="Docker" >}}
{{< tab Docker >}}
docker exec tetragon-container tetra getevents
{{< /tab >}}
{{< tab header="Systemd" >}}
{{< tab Systemd >}}
{{< /tab >}}
{{< /tabpane >}}

Expand Down
19 changes: 10 additions & 9 deletions docs/content/en/docs/getting-started/tetragon-file-events.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,32 +16,33 @@ The following extends the example from Execution Tracing with a policy to
monitor sensitive files in Linux. The policy used is the [`file-monitoring.yaml`](https://github.com/cilium/tetragon/blob/main/quickstart/file-monitoring.yaml) it can be reviewed and extended
as needed. However, files monitored here serve as a good base set of files.

To apply the policy
To apply the policy

{{< tabpane >}}
{{< tab header="K8s" >}}
{{< tabpane lang=shell-session >}}

{{< tab Kubernetes >}}
kubectl apply -f http://github.com/cilium/tetragon/quickstart/file-monitoring.yaml
{{< /tab >}}
{{< tab header="Docker" >}}
{{< tab Docker >}}
{{< /tab >}}
{{< tab header="Systemd" >}}
{{< tab Systemd >}}
{{< /tab >}}
{{< /tabpane >}}

With the file applied we can attach tetra to observe events again,

```
```shell-session
kubectl exec -ti -n kube-system ds/tetragon -c tetragon -- tetra getevents -o compact --pods xwing
```
Then reading a sensitive file,

```
```shell-session
kubectl exec -ti xwing -- bash -c 'cat /etc/shadow'
```

This will generate a read event,

```
```shell-session
🚀 process default/xwing /bin/bash -c "cat /etc/shadow"
🚀 process default/xwing /bin/cat /etc/shadow
📚 read default/xwing /bin/cat /etc/shadow
Expand All @@ -50,7 +51,7 @@ This will generate a read event,

Attempts to write in sensitive directories will similar create an event. For example attempting to write in '/etc'.

```
```shell-session
🚀 process default/xwing /bin/bash -c "echo foo >> /etc/bar"
📝 write default/xwing /bin/bash /etc/bar
📝 write default/xwing /bin/bash /etc/bar
Expand Down
19 changes: 10 additions & 9 deletions docs/content/en/docs/getting-started/tetragon-network.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,37 +10,38 @@ all network traffic outside the Kubernetes CIDR.

# Network Access Monitoring

To apply the policy
To apply the policy

{{< tabpane >}}
{{< tab header="K8s" >}}
{{< tabpane lang=shell-session >}}

{{< tab Kubernetes >}}
wget http://github.com/cilium/tetragon/quickstart/network_egress_cluster.yaml
kubectl get nodes -o jsonpath='{.items[*].spec.podCIDR}'| awk '{ for (i = 1; i <= NF; i++) print " - \"" $i "\"" }' >> network_egress_cluster.yaml
kubectl get services -o jsonpath='{.items[*].spec.clusterIP}'| awk '{ for (i = 1; i <= NF; i++) print " - \"" $i "\"" }' >> network_egress_cluster.yaml
kubectl apply -f network_egress_cluster.yaml
{{< /tab >}}
{{< tab header="Docker" >}}
{{< tab Docker >}}
{{< /tab >}}
{{< tab header="Systemd" >}}
{{< tab Systemd >}}
{{< /tab >}}
{{< /tabpane >}}

With the file applied we can attach tetra to observe events again,

```
```shell-session
kubectl exec -ti -n kube-system ds/tetragon -c tetragon -- tetra getevents -o compact --pods xwing --processes curl
```

Then execute a curl command in the xwing pod to curl one of our favorite
sites.

```
```shell-session
kubectl exec -ti xwing -- bash -c 'curl https://ebpf.io/applications/#tetragon'
```

A connect will be observed in the tetra shell

```
```shell-session
🚀 process default/xwing /usr/bin/curl https://ebpf.io/applications/#tetragonon
🔌 connect default/xwing /usr/bin/curl tcp 10.32.0.19:33978 -> 104.198.14.52:443
💥 exit default/xwing /usr/bin/curl https://ebpf.io/applications/#tetragonon 60
Expand All @@ -50,7 +51,7 @@ We can confirm in-kernel BPF filters are not producing events for in cluster
traffic by issuing a curl to one of our services and noting there is no connect
event.

```
```shell-session
$ kubectl exec -ti xwing -- bash -c 'curl -s -XPOST deathstar.default.svc.cluster.local/v1/request-landing'
Ship landed
```
Expand Down

0 comments on commit 8881a1a

Please sign in to comment.