-
Notifications
You must be signed in to change notification settings - Fork 359
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Djalal Harouni <[email protected]>
- Loading branch information
Showing
1 changed file
with
234 additions
and
0 deletions.
There are no files selected for viewing
234 changes: 234 additions & 0 deletions
234
...ntent/en/docs/use-cases/linux-process-credentials/monitor-linux-capabilities.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,234 @@ | ||
| --- | ||
| title: "Monitor Linux Capabilities Usage" | ||
| weight: 5 | ||
| icon: "overview" | ||
| description: "Monitor Capability checks performed by the kernel" | ||
| --- | ||
|
|
||
| When a process perfroms a privileged operation, the kernel will carry out a permission check | ||
| on that process and issue a verdict to allow or deny that same operation according to the | ||
| process [Capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html). | ||
|
|
||
| Tetragon is able to monitor such [Capability](https://man7.org/linux/man-pages/man7/capabilities.7.html) | ||
| checks performed by the kernel. | ||
|
|
||
| This answers the questions: | ||
|
|
||
| > What capabilities are being triggered by a process or a container in my Kubernetes cluster? | ||
| > I want to [configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) and | ||
| restrict the [capabilities of my containers](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container), but what capabilities should I add or remove? | ||
|
|
||
|
|
||
| Before going forward, verify that all pods are up and running, ensure you deploy our Demo Application to explore the Security Observability Events: | ||
|
|
||
| ```bash | ||
| kubectl create -f https://raw.githubusercontent.com/cilium/cilium/v1.11/examples/minikube/http-sw-app.yaml | ||
| ``` | ||
|
|
||
| It might take several seconds for some pods until they satisfy all the dependencies: | ||
|
|
||
| ```bash | ||
| kubectl get pods -A | ||
| NAMESPACE NAME READY STATUS RESTARTS AGE | ||
| default deathstar-54bb8475cc-6c6lc 1/1 Running 0 2m54s | ||
| default deathstar-54bb8475cc-zmfkr 1/1 Running 0 2m54s | ||
| default tiefighter 1/1 Running 0 2m54s | ||
| default xwing 1/1 Running 0 2m54s | ||
| kube-system tetragon-sdwv6 2/2 Running 0 27m | ||
| ``` | ||
|
|
||
| ## Monitor Capability Checks | ||
|
|
||
| We use the [creds-capability-usage](https://raw.githubusercontent.com/cilium/tetragon/main/examples/tracingpolicy/process-credentials/creds-capability-usage.yaml) Tracing Policy that will generate a [ProcessKprobe](https://tetragon.cilium.io/docs/reference/grpc-api/#processkprobe) event. | ||
|
|
||
| {{< note >}} | ||
| The capability checks are triggered on behalf of applications when they perform some privileged operations, this means that such Tracing Policies may generate a high number of events. | ||
|
|
||
| In order to reduce the number of events, the [creds-capability-usage](https://raw.githubusercontent.com/cilium/tetragon/main/examples/tracingpolicy/process-credentials/creds-capability-usage.yaml) rate limit the same event to 1 minute. | ||
| {{< /note >}} | ||
|
|
||
| Now let's apply the [creds-capability-usage](https://raw.githubusercontent.com/cilium/tetragon/main/examples/tracingpolicy/process-credentials/creds-capability-usage.yaml) Tracing Policy. | ||
|
|
||
| ```bash | ||
| kubectl apply -f https://raw.githubusercontent.com/cilium/tetragon/main/examples/tracingpolicy/process-credentials/creds-capability-usage.yaml | ||
|
|
||
| ``` | ||
|
|
||
| Then we start monitoring for events with `tetra` cli: | ||
| ```bash | ||
| kubectl exec -it -n kube-system ds/tetragon -c tetragon -- tetra getevents | ||
| ``` | ||
|
|
||
| In another terminal, kubectl exec into the xwing pod: | ||
|
|
||
| ```bash | ||
| kubectl exec -it xwing -- /bin/bash | ||
| ``` | ||
|
|
||
| As an example execute [dmesg](https://man7.org/linux/man-pages/man1/dmesg.1.html) to try to print the kernel ring buffer. This requires the special capability `CAP_SYSLOG`: | ||
|
|
||
| ```bash | ||
| dmesg | ||
| dmesg: klogctl: Operation not permitted | ||
| ``` | ||
|
|
||
| The `tetra` cli will generate the following [ProcessKprobe](https://tetragon.cilium.io/docs/reference/grpc-api/#processkprobe) events: | ||
|
|
||
| ```json | ||
| { | ||
| "process_kprobe": { | ||
| "process": { | ||
| "exec_id": "a2luZC1jb250cm9sLXBsYW5lOjEyODQyNzgzMzUwNjg0OjczODYw", | ||
| "pid": 73860, | ||
| "uid": 0, | ||
| "cwd": "/", | ||
| "binary": "/bin/dmesg", | ||
| "flags": "execve rootcwd clone", | ||
| "start_time": "2023-07-06T10:13:33.834390020Z", | ||
| "auid": 4294967295, | ||
| "pod": { | ||
| "namespace": "default", | ||
| "name": "xwing", | ||
| "container": { | ||
| "id": "containerd://cfb961400ff25811d22d139a10f6a62efef53c2ecc11af47bc911a7f9a2ac1f7", | ||
| "name": "spaceship", | ||
| "image": { | ||
| "id": "docker.io/tgraf/netperf@sha256:8e86f744bfea165fd4ce68caa05abc96500f40130b857773186401926af7e9e6", | ||
| "name": "docker.io/tgraf/netperf:latest" | ||
| }, | ||
| "start_time": "2023-07-06T08:07:30Z", | ||
| "pid": 171 | ||
| }, | ||
| "pod_labels": { | ||
| "app.kubernetes.io/name": "xwing", | ||
| "class": "xwing", | ||
| "org": "alliance" | ||
| } | ||
| }, | ||
| "docker": "cfb961400ff25811d22d139a10f6a62", | ||
| "parent_exec_id": "a2luZC1jb250cm9sLXBsYW5lOjEyODQyMTI3MTIwOTcyOjczODUw", | ||
| "refcnt": 1, | ||
| "ns": { | ||
| "uts": { | ||
| "inum": 4026534655 | ||
| }, | ||
| "ipc": { | ||
| "inum": 4026534656 | ||
| }, | ||
| "mnt": { | ||
| "inum": 4026534731 | ||
| }, | ||
| "pid": { | ||
| "inum": 4026534732 | ||
| }, | ||
| "pid_for_children": { | ||
| "inum": 4026534732 | ||
| }, | ||
| "net": { | ||
| "inum": 4026534512 | ||
| }, | ||
| "time": { | ||
| "inum": 4026531834, | ||
| "is_host": true | ||
| }, | ||
| "time_for_children": { | ||
| "inum": 4026531834, | ||
| "is_host": true | ||
| }, | ||
| "cgroup": { | ||
| "inum": 4026534733 | ||
| }, | ||
| "user": { | ||
| "inum": 4026531837, | ||
| "is_host": true | ||
| } | ||
| }, | ||
| "tid": 73860 | ||
| }, | ||
| "parent": { | ||
| "exec_id": "a2luZC1jb250cm9sLXBsYW5lOjEyODQyMTI3MTIwOTcyOjczODUw", | ||
| "pid": 73850, | ||
| "uid": 0, | ||
| "cwd": "/", | ||
| "binary": "/bin/bash", | ||
| "flags": "execve rootcwd clone", | ||
| "start_time": "2023-07-06T10:13:33.178160018Z", | ||
| "auid": 4294967295, | ||
| "pod": { | ||
| "namespace": "default", | ||
| "name": "xwing", | ||
| "container": { | ||
| "id": "containerd://cfb961400ff25811d22d139a10f6a62efef53c2ecc11af47bc911a7f9a2ac1f7", | ||
| "name": "spaceship", | ||
| "image": { | ||
| "id": "docker.io/tgraf/netperf@sha256:8e86f744bfea165fd4ce68caa05abc96500f40130b857773186401926af7e9e6", | ||
| "name": "docker.io/tgraf/netperf:latest" | ||
| }, | ||
| "start_time": "2023-07-06T08:07:30Z", | ||
| "pid": 165 | ||
| }, | ||
| "pod_labels": { | ||
| "app.kubernetes.io/name": "xwing", | ||
| "class": "xwing", | ||
| "org": "alliance" | ||
| } | ||
| }, | ||
| "docker": "cfb961400ff25811d22d139a10f6a62", | ||
| "parent_exec_id": "a2luZC1jb250cm9sLXBsYW5lOjEyODQyMDgxNTA3MzUzOjczODQx", | ||
| "refcnt": 2, | ||
| "tid": 73850 | ||
| }, | ||
| "function_name": "cap_capable", | ||
| "args": [ | ||
| { | ||
| "user_namespace_arg": { | ||
| "level": 0, | ||
| "uid": 0, | ||
| "gid": 0, | ||
| "ns": { | ||
| "inum": 4026531837, | ||
| "is_host": true | ||
| } | ||
| } | ||
| }, | ||
| { | ||
| "capability_arg": { | ||
| "value": 34, | ||
| "name": "CAP_SYSLOG" | ||
| } | ||
| } | ||
| ], | ||
| "return": { | ||
| "int_arg": -1 | ||
| }, | ||
| "action": "KPROBE_ACTION_POST" | ||
| }, | ||
| "node_name": "kind-control-plane", | ||
| "time": "2023-07-06T10:13:33.834882128Z" | ||
| } | ||
| ``` | ||
|
|
||
| In addition to the Kubernetes Identity and process metadata from exec events, [ProcessKprobe](https://tetragon.cilium.io/docs/reference/grpc-api/#processkprobe) events contain the arguments of the observed system call. In the above case they are: | ||
|
|
||
| * `function_name`: that is the `cap_capable` kernel function. | ||
|
|
||
| * `user_namespace_arg`: is the [user namespace](https://tetragon.cilium.io/docs/reference/grpc-api/#usernamespace) where the capability is required. | ||
|
|
||
| * `level`: is the nested level of the user namespace. Here it is zero which indicates the initial user namespace. | ||
| * `uid`: is the user ID of the owner of the user namespace. | ||
| * `gid`: is the group ID of the owner of the user namespace. | ||
| * [ns](https://tetragon.cilium.io/docs/reference/grpc-api/#namespace): details the information about the namespace, the `is_host` indicates that the target user namespace where the capability is required is the host namespace. | ||
|
|
||
| * `capability_arg`: is the capability required to perform the operation. In this example reading the kernel ring buffer. | ||
|
|
||
| * `value`: is the integer number of the required capability. | ||
| * `name`: is the name of the required capability. Here it is the `CAP_SYSLOG`. | ||
|
|
||
| * `return`: indicates via the `int_arg` that is an integer value, if the capability check succeeded or failed. Here `-1` means that it failed and the operation was denied by the kernel. | ||
|
|
||
| To disable the [creds-capability-usage](https://raw.githubusercontent.com/cilium/tetragon/main/examples/tracingpolicy/process-credentials/creds-capability-usage.yaml) run: | ||
|
|
||
| ```bash | ||
| kubectl delete -f https://raw.githubusercontent.com/cilium/tetragon/main/examples/tracingpolicy/process-credentials/creds-capability-usage.yaml | ||
| ``` |