Jed Salazar - Security Observability with eBPF

by Jed Salazar and Natalia Reka Ivanko

Copyright 2022 OReilly Media Inc. All rights reserved.

Printed in the United States of America.

Published by OReilly Media, Inc. , 1005 Gravenstein Highway North, Sebastopol, CA 95472.

OReilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (http://oreilly.com). For more information, contact our corporate/institutional sales department: 800-998-9938 or corporate@oreilly.com.

• Acquisitions Editor: John Devins
• Development Editor: Shira Evans
• Production Editor: Katherine Tozer
• Copyeditor: nSight, Inc.
• Interior Designer: David Futato
• Cover Designer: Randy Comer
• Illustrator: Kate Dullea

• April 2022: First Edition

The OReilly logo is a registered trademark of OReilly Media, Inc. Security Observability with eBPF, the cover image, and related trade dress are trademarks of OReilly Media, Inc.

The views expressed in this work are those of the authors and do not represent the publishers views. While the publisher and the authors have used good faith efforts to ensure that the information and instructions contained in this work are accurate, the publisher and the authors disclaim all responsibility for errors or omissions, including without limitation responsibility for damages resulting from the use of or reliance on this work. Use of the information and instructions contained in this work is at your own risk. If any code samples or other technology this work contains or describes is subject to open source licenses or the intellectual property rights of others, it is your responsibility to ensure that your use thereof complies with such licenses and/or rights.

This work is part of a collaboration between OReilly and Isovalent. See our statement of editorial independence.

978-1-098-13318-4

[LSI]

Kubernetes has become the de facto cloud operating system, and every day more and more critical applications are containerized and shifted to a cloud native landscape. This means Kubernetes is quickly becoming a rich target for both passive and targeted attackers. Kubernetes does not provide a default security configuration and provides no observability to discern if your pods or cluster has been attacked or compromised.

Understanding your security posture isnt just about applying security configuration and hoping for the best. Hope isnt a strategy. Just like the site reliability engineering (SRE) principle of service level objectives (SLOs) that [identify] an objective metric to represent the property of a system,

With security observability, we can quickly answer:

• How many pods are running with privileged Linux capabilities in my environment?

• Have any workloads in my environment made a connection to known-bad.actorz.com?

• Show me all local privilege escalation techniques detected in the last 30 days.

• Have any workloads other than Fluentd used S3 credentials?

Achieving observability in a cloud native environment can be complicated. It often requires changes to applications or the management of yet another complex distributed system. However, eBPF provides a lightweight methodology to collect security observability natively in the kernel, without any changes to applications.