Indeed LinkedIn Github BSG Logo Brightstreet Group
← All posts
eBPF: Tetragon Security for IRIS Workloads

eBPF: Tetragon Security for IRIS Workloads

InterSystems IRISeBPFTetragonSecurityKubernetes
Community

Runtime Enforcement

Tetragon Observability

So far in the eBPF journey applied to InterSystems workloads, we’ve been pretty much “read-only” when it comes to system calls, binary execution, and file monitoring. But much like the network security policies that enforce connectivity, what if we could enforce system calls, file access, and processes across an entire cluster?

Enter Tetragon.

Tetragon is a flexible, Kubernetes-aware security observability and runtime enforcement tool. It applies policy and filtering directly with eBPF, allowing for reduced observation overhead, tracking of any process, and real-time enforcement of policies.

It provides enforcement when your application can’t.

Where it Runs

Tetragon provides observability and enforcement cluster-wide.

Tetragon Cluster Overview

Up and Running

Here are the steps to get up and running, performed in the style of an Isovalent Lab.

Cluster

We’ll use a Kind cluster, 3 worker nodes wide, without a default CNI.

cat <<EOF | kind create cluster --config=-
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
- role: worker
- role: worker
- role: worker
networking:
  disableDefaultCNI: true
EOF

Cilium

Install Cilium to provide the networking foundation.

helm install cilium cilium/cilium --version 1.16.1 \
  --namespace kube-system \
  --set operator.replicas=1 \
  --set hubble.enabled=true \
  --set hubble.ui.enabled=true

Tetragon

Install the Tetragon agent.

helm install tetragon cilium/tetragon --namespace kube-system

Tetragon Installation

InterSystems IRIS

Deploy a simple IRIS workload.

kubectl run iris-priv --image=containers.intersystems.com/intersystems/iris-community:2024.2 --privileged

IRIS Workload Check

Runtime Enforcement

Let’s look at a practical use case: forbidding any process from calling out and “catting” the InterSystems license file.

For this, we apply a TracingPolicy that enforces a matchAction. This policy essentially says: “If you run cat /usr/irissys/mgr/iris.key, I am going to SIGKILL the process.”

kubectl apply -f - <<EOF
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: "iris-read-file-sigkill"
spec:
  kprobes:
  - call: "fd_install"
    syscall: false
    return: false
    args:
    - index: 0
      type: int
    - index: 1
      type: "file"
    selectors:
    - matchPIDs:
      - operator: NotIn
        followForks: true
        isNamespacePID: true
        values:
        - 1
      matchArgs:
      - index: 1
        operator: "Prefix"
        values:
        - "/usr/irissys/secrets/"
        - "/usr/irissys/mgr/iris.key"
      matchActions:
      - action: FollowFD
        argFd: 0
        argName: 1
  - call: "__x64_sys_read"
    syscall: true
    args:
    - index: 0
      type: "fd"
    selectors:
    - matchActions:
      - action: Sigkill
EOF

Once deployed, the TracingPolicy is active:

TracingPolicy Active

Now, let’s try to access the file:

Policy Enforcement in Action

The command fails with a cryptic error for the user, but behind the scenes, Tetragon administratively blocked it and sent a SIGKILL to the process!

SIGKILL Log

Experiments

I’ve been experimenting with hundreds of policies. Here are a few notable ones:

System Calls per Binary

You can literally nerd out and see every system call made by each binary in your cluster.

Syscalls per Binary

Global File Access

This TracingPolicy shows every process accessing every file in the cluster—a mesmerizing amount of detail.

Global File Access Monitoring

You can find more examples in the Tetragon GitHub repository, covering:

  • Process attributes
  • Command-line arguments
  • Network activity
  • File system operations

Runtime enforcement is the next level of security for your IRIS workloads!