0:00 Introduction

0:00 Hello. Welcome back to the Rawkode Academy. Today, we're gonna take a look at a project called Tetragon. Tetragon is an EPBF based security and observability tool with runtime enforcement. Consumer policies written by you, Tetragon will run across your fleet of infrastructure and assure that your applications are behaving. We'll be taking a look at a few examples of what that actually means. But, of course, before we get into the really cool features of Tetragon, we need to get it running. So in this quick video, let's take a look and install on Tetragon on to a Linux host.

0:30 Video Focus: Installing on Linux

0:43 Let's go. So here we are on the Tetragon homepage. First thing we're gonna do is go to documentation. From here, we're going to click on installation. Now we should note there are multiple ways to install Tetragon. You can install Tetragon directly to the Linux host, and it will run as a system d service. However, if you wish, you can deploy it as a container or deploy it with a Helm chart to Kubernetes. Now, of course, we're gonna take a look at running Tetragon with Kubernetes. It is the best way to run it because it hooks in to Kubernetes resource model

0:46 Installation Options (Linux vs. Kubernetes)

1:18 and allows you to configure Tetragon with everyone's favorite programming language, YAML, YAML, and more YAML. Allowing us to use custom resource definitions to configure Tetragon is just the easiest way when you're shipping this stuff to production. But if you just want to start playing and exploring with Tetragon, installing it to a Linux host is also just fine. So let's get acquainted with Tetragon, and then we'll take a look at the Kubernetes installation. So from here, we can see that we can grab Tetragon from the GitHub releases. This is all pretty standard, pretty normal, no surprises here.

1:46 Tetragon

1:56 Let's copy this command and run. We can then untar and install Child's play. Now we can start system t service. I don't need sudo because, hey, I'm Rawkode. We can see that Tetragon is now running on our host. Awesome. So now that Tetragon is running, let's see it in action in its very simple form. So let's run echo wall hello, and we're gonna type this to at where we do plus one minute. This will run the wall command in exactly one minute from now. That gives us enough time to then use the TetracylI where we can run get events.

2:30 Demonstration

3:01 Get events is gonna show us all the things that Tetragon is aware of in the cluster without any policies or configuration at the moment. And we can already see some processes running in the background, and there is our walk event. And what we can see here is that we got some JSON blobs here that tell us that the wall command was executed with the argument hello, with the pit, the shell, times, all the information that you need to understand the processes on a Linux machine. Now process management or at least process visibility is something that

3:40 Process Visibility

3:44 you get out of the box when you are running Tetragon. No matter what command I run on this machine, we will see it in the get events output. Where Tetragon really shines is where we start to enrich or add our own tracing policies, hooking into the kernel and defining a set of actions that should happen in response. So let's take a quick look at adding a tracing policy that shows us whenever someone is messing around with the modules loaded into our Linux kernel. So the first thing we're gonna do is run tetra tracing policy list.

4:08 Adding a Tracing Policy (Kernel Modules Example)

4:27 And you can see at the moment we have no tracing policies added to Tetragon. We can run that command again with add, this time pointing it to our trace dot YAML. Now when we run the list, we can see that we have something called monitor kernel modules enabled true. Now let's take a look at our trace dot YAML. We can see it looks like a Kubernetes custom resource because it is a Kubernetes custom resource. Even though we haven't deployed Tetragon to Kubernetes yet, we're using the same configuration to add our own tracing policies. And here, we're specifically adding some k probes,

4:50 Examining the Policy Definition (YAML)

5:09 kernel probes, to monitor for security kernel events, such as module request, read file, do in a module, and free module. Now there aren't any actions attached to this policy yet, but what we will see is that as we interact with kernel modules, Tetragon will tell us everything that we need to know. So let's split this session in half and SSH onto the machine. On the top, we're going to run tetra get events. This time we'll add the flag o compact just so it doesn't take up as much vertical real estate as we get more logs.

5:31 Tracing Policy Demonstration

5:53 To confirm that this is still working, we'll run l s and we see lots of output. So what about kernel modules? Well, we can run l s mod, and so far we're just seeing the processes that we're running. Well, let's run mod probe z f s. And if we scroll up, of course, we see the processes that were executed. But we can also see after we executed Modprobe ZFS, we have all these syscalls that we asked Tetragon to monitor. Security kernel read fail, do in it module, all the way down. The Modprobe handles dependencies when you're loading a module onto the kernel.

6:36 So, of course, we're gonna see multiple modules loaded before our Modprobe command exits with a successful code of zero. Neat. So we're not gonna take a look at adding actions just yet. We're gonna dive into that more as we explore process life cycle and file access in the next two videos. But the takeaway so far is just that very easy to get Tetragon running on a Linux machine. The Tetragon CLI allows you to add and manage your tracing policies as well as to get events to understand what is happening within your system. So I think it's about time we deployed

7:08 Deploying to Kubernetes (Helm)

7:10 this to Kubernetes. So to deploy on Kubernetes, we go back to the documentation. Now we're going to use Helm, so this isn't anything you haven't seen before. We add the repository, do an update, and ask it to install. Can then run kubectl, get pods all, and we'll see that our Tetragon pods are now spinning up. And this will just take a moment. Now that it's running, we can do a kubectl by dash f using the same trace dot YAML we used on the Linux machine. From here, you can run get tracing policy and dash o YAML

7:46 Applying Policies in Kubernetes

8:03 to confirm it's exact same module probe we used earlier. Awesome. So that's installing and getting started with Tetragon. There's a lot of really awesome features that we're gonna dive into, so check out next two videos as we explore how to build automated actions and runtime enforcement, file access, and process life cycle across Kubernetes and Linux. We'll see you soon.