From 1c23f42be82eae3f73813e6b9204d5eadf87fd7a Mon Sep 17 00:00:00 2001 From: John Fastabend Date: Wed, 18 Oct 2023 14:25:07 -0700 Subject: [PATCH 1/7] tetragon: remove unconnected text block This block of text references sections that I never created lets just remove it. Signed-off-by: John Fastabend From 9e178c593a53636bebb8318950ad1728d705386b Mon Sep 17 00:00:00 2001 From: John Fastabend Date: Wed, 18 Oct 2023 14:30:23 -0700 Subject: [PATCH 2/7] tetragon: add exports for cluster create Add all the exports for cluster creation. Signed-off-by: John Fastabend --- docs/content/en/docs/getting-started/enforcement.md | 4 ---- docs/content/en/docs/getting-started/install-k8s.md | 5 +++-- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/docs/content/en/docs/getting-started/enforcement.md b/docs/content/en/docs/getting-started/enforcement.md index bfc23664888..fe4652079d2 100644 --- a/docs/content/en/docs/getting-started/enforcement.md +++ b/docs/content/en/docs/getting-started/enforcement.md @@ -99,10 +99,6 @@ a Sigkill. The successful internal connect is filtered and will not be shown. 🚀 process default/xwing /usr/bin/curl -s -XPOST deathstar.default.svc.cluster.local/v1/request-landing ``` -The enforces TCP connects see [Enforce Sandbox]({{< ref "#enforce-common-security-policy" >}}) -below to further restrict possible workaround such as writing through /dev -devices and raw sockets application may attempt. - ### Enforce File Access Monitoring The following extends the example from [File Access Monitoring]({{< ref "docs/getting-started/file-events" >}}) diff --git a/docs/content/en/docs/getting-started/install-k8s.md b/docs/content/en/docs/getting-started/install-k8s.md index ff253e11e21..34532d2b8f2 100644 --- a/docs/content/en/docs/getting-started/install-k8s.md +++ b/docs/content/en/docs/getting-started/install-k8s.md @@ -19,8 +19,9 @@ instructions on how to install `gcloud` and prepare your account. ```shell-session export NAME="$(whoami)-$RANDOM" -gcloud container clusters create "${NAME}" --zone us-west2-a -gcloud container clusters get-credentials "${NAME}" --zone us-west2-a +export ZONE="us-west2-a" +gcloud container clusters create "${NAME}" --zone ${ZONE} +gcloud container clusters get-credentials "${NAME}" --zone ${ZONE} ``` {{% /tab %}} From 9c7013c3bdf01036c8ef31f1e2f4becf3b5e2648 Mon Sep 17 00:00:00 2001 From: John Fastabend Date: Wed, 18 Oct 2023 14:45:07 -0700 Subject: [PATCH 3/7] tetragon: gcloud install single node Lets create a single node cluster than we can avoid teaching how to connect to a specific node for the quickstart Signed-off-by: John Fastabend --- docs/content/en/docs/getting-started/install-k8s.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/content/en/docs/getting-started/install-k8s.md b/docs/content/en/docs/getting-started/install-k8s.md index 34532d2b8f2..4089a1ef2c3 100644 --- a/docs/content/en/docs/getting-started/install-k8s.md +++ b/docs/content/en/docs/getting-started/install-k8s.md @@ -12,7 +12,7 @@ to create a Kubernetes cluster locally or using a managed Kubernetes service: {{< tabpane text=true >}} {{% tab GKE %}} -The following commands create a Kubernetes cluster using [Google +The following commands create a single node Kubernetes cluster using [Google Kubernetes Engine](https://cloud.google.com/kubernetes-engine). See [Installing Google Cloud SDK](https://cloud.google.com/sdk/install) for instructions on how to install `gcloud` and prepare your account. @@ -20,7 +20,7 @@ instructions on how to install `gcloud` and prepare your account. ```shell-session export NAME="$(whoami)-$RANDOM" export ZONE="us-west2-a" -gcloud container clusters create "${NAME}" --zone ${ZONE} +gcloud container clusters create "${NAME}" --zone ${ZONE} --num-nodes=1 gcloud container clusters get-credentials "${NAME}" --zone ${ZONE} ``` {{% /tab %}} From cc544fefe988d26d18f33dd5741e49a65864fade Mon Sep 17 00:00:00 2001 From: John Fastabend Date: Wed, 18 Oct 2023 14:39:22 -0700 Subject: [PATCH 4/7] tetragon: docs drop namespace of enforcement We didn't create the demo app in a namespace earlier so assuming its in one is wrong. Signed-off-by: John Fastabend --- docs/content/en/docs/getting-started/enforcement.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/content/en/docs/getting-started/enforcement.md b/docs/content/en/docs/getting-started/enforcement.md index fe4652079d2..799ee0f916f 100644 --- a/docs/content/en/docs/getting-started/enforcement.md +++ b/docs/content/en/docs/getting-started/enforcement.md @@ -6,8 +6,8 @@ description: "Policy Enforcement" This adds a network and file policy enforcement on top of execution, file tracing and networking policy already deployed in the quick start. In this use case we use -a namespace filter to limit the scope of the enforcement policy to just the `darkstar` -cluster we installed the demo application in from the +a namespace filter to limit the scope of the enforcement policy to just the `default` +namespace we installed the demo application in from the [Quick Kubernetes Install]({{< ref "docs/getting-started/install-k8s" >}}). This highlights two important concepts of Tetragon. First in kernel filtering From 6608ed43ba74338884ee73a89533b0765bee4012 Mon Sep 17 00:00:00 2001 From: John Fastabend Date: Wed, 18 Oct 2023 15:29:01 -0700 Subject: [PATCH 5/7] tetragon: docs still filter getevents json output Even though we don't want to show compact form lets still filter the getevents output to just xwing. Signed-off-by: John Fastabend --- docs/content/en/docs/getting-started/execution.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/en/docs/getting-started/execution.md b/docs/content/en/docs/getting-started/execution.md index 6cbae6c4e1b..d03e305e060 100644 --- a/docs/content/en/docs/getting-started/execution.md +++ b/docs/content/en/docs/getting-started/execution.md @@ -53,7 +53,7 @@ For the complete exec event in JSON format remove the compact option. {{< tabpane lang=shel-session >}} {{< tab Kubernetes >}} -kubectl exec -ti -n kube-system ds/tetragon -c tetragon -- tetra getevents +kubectl exec -ti -n kube-system ds/tetragon -c tetragon -- tetra getevents --pods xwing {{< /tab >}} {{< tab Docker >}} docker exec tetragon-container tetra getevents From f9f6902159e51444d013eac390a08c2022d978bd Mon Sep 17 00:00:00 2001 From: John Fastabend Date: Wed, 18 Oct 2023 15:30:54 -0700 Subject: [PATCH 6/7] tetragon docs: cut'n'paste write to /etc example Add a cut'n'paste example for writing. Signed-off-by: John Fastabend --- docs/content/en/docs/getting-started/file-events.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/docs/content/en/docs/getting-started/file-events.md b/docs/content/en/docs/getting-started/file-events.md index 2441f1a38df..e891c6cfc01 100644 --- a/docs/content/en/docs/getting-started/file-events.md +++ b/docs/content/en/docs/getting-started/file-events.md @@ -70,6 +70,17 @@ This will generate a read event (Docker events will omit Kubernetes metadata), Attempts to write in sensitive directories will similar create an event. For example attempting to write in `/etc`. +{{< tabpane lang=shell-session >}} +{{< tab Kubernetes >}} +kubectl exec -ti xwing -- bash -c 'echo foo >> /etc/bar' +{{< /tab >}} +{{< tab Docker >}} +cat /etc/shadow +{{< /tab >}} +{{< /tabpane >}} + +Will result in the following output in the tetra CLI. + ``` 🚀 process default/xwing /bin/bash -c "echo foo >> /etc/bar" 📝 write default/xwing /bin/bash /etc/bar From 7ce5a89fc79f2c77111cede7e18092739eca6499 Mon Sep 17 00:00:00 2001 From: John Fastabend Date: Wed, 18 Oct 2023 15:38:30 -0700 Subject: [PATCH 7/7] tetragon: docs use default project for commands Signed-off-by: John Fastabend --- docs/content/en/docs/getting-started/enforcement.md | 2 +- docs/content/en/docs/getting-started/network.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/content/en/docs/getting-started/enforcement.md b/docs/content/en/docs/getting-started/enforcement.md index 799ee0f916f..3bad986ea92 100644 --- a/docs/content/en/docs/getting-started/enforcement.md +++ b/docs/content/en/docs/getting-started/enforcement.md @@ -49,7 +49,7 @@ export PODCIDR=`kubectl get nodes -o jsonpath='{.items[*].spec.podCIDR}'` {{< tabpane lang=shell-session >}} {{< tab GKE >}} -export SERVICECIDR=$(gcloud container clusters describe ${NAME} --zone ${ZONE} --project ${PROJECT} | awk '/servicesIpv4CidrBlock/ { print $2; }') +export SERVICECIDR=$(gcloud container clusters describe ${NAME} --zone ${ZONE} | awk '/servicesIpv4CidrBlock/ { print $2; }') {{< /tab >}} {{< tab Kind >}} diff --git a/docs/content/en/docs/getting-started/network.md b/docs/content/en/docs/getting-started/network.md index 1c3170f2c30..418df71ec9f 100644 --- a/docs/content/en/docs/getting-started/network.md +++ b/docs/content/en/docs/getting-started/network.md @@ -18,12 +18,12 @@ export PODCIDR=`kubectl get nodes -o jsonpath='{.items[*].spec.podCIDR}'` ``` The services CIDR can then be fetched depending on environment. We -require environment variables ZONE, PROJECT, and NAME from install steps. +require environment variables ZONE and NAME from install steps. {{< tabpane lang=shell-session >}} {{< tab GKE >}} -export SERVICECIDR=$(gcloud container clusters describe ${NAME} --zone ${ZONE} --project ${PROJECT} | awk '/servicesIpv4CidrBlock/ { print $2; }') +export SERVICECIDR=$(gcloud container clusters describe ${NAME} --zone ${ZONE} | awk '/servicesIpv4CidrBlock/ { print $2; }') {{< /tab >}} {{< tab Kind >}}