Security Observability with eBPF and Cilium Tetragon

Security Observability is a new paradigm that utilizes eBPF, a Linux kernel technology, to allow Security and DevOps teams, SREs, Cloud Engineers, and Solution Architects to gain real-time visibility into Kubernetes and helps to secure your production environment with Cilium Tetragon.

Cilium Tetragon is an open source Security Observability and Runtime Enforcement tool from the makers of Cilium. It captures different process and network event types through a user-supplied configuration to enable security observability on arbitrary hook points in the kernel; then translates these events into actionable signals for a Security Team.

The best way to learn about Security Observability and Cilium Tetragon is to read the book “Security Observability with eBPF” by Jed Salazar and Natalia Reka Ivanko. And the best way to have your first experience with Cilium Tetragon is to walk through this lab, which takes the Real World Attack example out of the book and teaches you how to detect a container escape step by step!

VersionOpen Source

Main steps in the lab

01📦 First steps with Cilium Tetragon

Install Cilium Tetragon, verify it’s up and running, start identifying the security observability events

02📛 Let's reach the host namespace!

Execute the first step of the attack

03🦶 Maintain your foothold

Execute the second step of the attack

04🐍 Execute a malicious python script in memory

Execute the third step of the attack

Related labs