improve kubernetes docs (#1028)

* improve kubernetes docs * fix libs requirement * fix configs requirement
aquasecurity · Sep 27, 2021 · e55abba · e55abba
1 parent e9c0165
commit e55abba
Show file tree

Hide file tree

Showing 5 changed files with 20 additions and 24 deletions.
diff --git a/Readme.md b/Readme.md
@@ -28,7 +28,7 @@ If running on __BTF enabled kernel__:
 docker run --name tracee --rm --pid=host --privileged -v /tmp/tracee:/tmp/tracee -it aquasec/tracee:latest
 ```
 
-> Note: Running on BTF enabled kernel requires access to the kernel configuration file. Depending on the linux distribution this can be in either `/proc/config.gz` (which docker mounts by default) or `/boot/config-$(uname -r)` (which must be mounted explicitly).
+> Note: Running with BTF requires access to the kernel configuration file. Depending on the linux distribution it can be in either `/proc/config.gz` (which docker mounts by default) or `/boot/config-$(uname -r)` (which must be mounted explicitly).
 
 If running on __BTF disabled kernel__:
 ```bash

diff --git a/docs/index.md b/docs/index.md
@@ -24,7 +24,7 @@ If running on __BTF enabled kernel__:
 docker run --name tracee --rm --pid=host --privileged -v /tmp/tracee:/tmp/tracee -it aquasec/tracee:latest
 ```
 
-> Note: Running on BTF enabled kernel requires access to the kernel configuration file. Depending on the linux distribution this can be in either `/proc/config.gz` (which docker mounts by default) or `/boot/config-$(uname -r)` (which must be mounted explicitly).
+> Note: Running with BTF requires access to the kernel configuration file. Depending on the linux distribution it can be in either `/proc/config.gz` (which docker mounts by default) or `/boot/config-$(uname -r)` (which must be mounted explicitly).
 
 If running on __BTF disabled kernel__:
 ```bash

diff --git a/docs/install/ebpf-compilation.md b/docs/install/ebpf-compilation.md
@@ -24,12 +24,17 @@ Kernel version specific option:
 - GNU Make >= 4.3
 - clang >= 11
 
+## Compiling the eBPF program
+
 You can build the eBPF program in the following ways:
 
 1. Clone the repo (including submodules: `git clone --recursive https://github.com/aquasecurity/tracee.git`) and `make bpf`.
 2. `make bpf DOCKER=1` to build in a Docker container which includes all development tooling.
 
-Running this will produce a file called `tracee.bpf.$kernelversion.$traceeversion.o` under the `dist` directory.  
+Running this will produce a file called `tracee.bpf.$kernelversion.$traceeversion.o` under the `dist` directory.
+
+## Using compiled eBPF program
+
 Once you have the eBPF program artifact, you can provide it to Tracee in any of the following locations:
 
 1. Path specified in `TRACEE_BPF_FILE` environment variable

diff --git a/docs/install/kubernetes.md b/docs/install/kubernetes.md
@@ -1,14 +1,15 @@
 # Deploy on Kubernetes
 
-> NOTE This approach assumes that kernel headers are available on the Kubernetes nodes under conventional location, e.g /usr/src and /lib/modules. More details about [Minimal Requirements to run tracee in the Kubernetes nodes](https://aquasecurity.github.io/tracee/dev/install/prerequisites/)
+In the [deploy/kubernetes](https://github.com/aquasecurity/tracee/blob/main/deploy/kubernetes) directory you can find Yaml files that deploys Tracee in a Kubernetes environment. This will deploy Tracee as a daemonset, alongside [falcosidekick](integrations.md#falcosidekick-webhook) so that you can conveniently consume Tracee's detections.
 
- ``` bash
- kubectl create -f deploy/kubernetes
- ```
+To install, simply `kubectl create -f deploy/kubernetes`.
 
-## Setting Webhook ConfigMap
+## Platform support
 
-This sample deploy use falcosidekick.tmpl and a config map for the falcosidekick settings (webhook-cm.yaml). Edit the ConfigMap with the respective values.
+This approach assumes that host nodes have either BTF available or kernel headers available under conventional location. see Tracee's [prerequisites](https://aquasecurity.github.io/tracee/dev/install/prerequisites/) for more info. For the major Kubernetes platforms this should work out-of-the-box, including GKE, EKS, AKS, minikube. 
+
+## Consuming detections
+
+[falcosidekick](https://github.com/falcosecurity/falcosidekick) is a useful webhook server that can be configured to connect to various "outputs" such as: Slack, Mattermost, Teams, Datadog, Prometheus, StatsD, Email, Elasticsearch, Loki, PagerDuty, OpsGenie, and many more. The YAML deployment also deploys falcosidekick alongside Tracee, so that you can conveniently consume the Tracee's detections. To configure falcosidekick you can edit the `webhook-cm.yaml` ConfigMap whis is expected to be in the [falcosidekick configuration format](https://github.com/falcosecurity/falcosidekick).
 
-> NOTE `See the complete config file in` [falcosidekick](https://github.com/falcosecurity/falcosidekick)
 
diff --git a/docs/install/prerequisites.md b/docs/install/prerequisites.md
@@ -1,21 +1,11 @@
 # Prerequisites
 
-__Portable (CO:RE) option:__
 * Linux kernel version >= 4.18
-* BTF enabled (_You can manually detect if your environments supports it by checking if the following file exists on your machine: /sys/kernel/btf/vmlinux or consult the following documentation: https://github.com/libbpf/libbpf#bpf-co-re-compile-once--run-everywhere)_
 
-> Note: When using Tracee's Docker image, an extra mount might be required to access the kernel configuration file. Depending on the linux distribution this can be in either `/proc/config.gz` (which docker mounts by default) or `/boot/config-$(uname -r)` (which must be mounted explicitly).
-
-__Kernel version specific option:__
-* Linux kernel version >= 4.18
-* Linux kernel headers available under conventional location (see [Linux Headers](../headers) section for more info)
-* libc, and the libraries: libelf, zlib
-* GNU Make >= 4.3
-* clang >= 11
-
-_Exceptions:_
-* Tracee supports loading a pre-compiled eBPF file, in which case the kernel headers are not required at runtime, but only for the one-time compilation of the eBPF program. See [Setup Options](../ebpf-compilation) for more info.
-* When using Tracee's Docker image, all of the tooling is built into the image. The only requirement left is the kernel headers or the pre-built eBPF artifact. See [Setup Options](../ebpf-compilation) for more info.
+One of the following:
+* BTF available under `/sys/kernel/btf/vmlinux` (see [libbpf CO-RE documentation](https://github.com/libbpf/libbpf#bpf-co-re-compile-once--run-everywhere) for more info)).
+* Linux kernel headers available under conventional location (see [Linux Headers](../headers) section for more info). In this case system libraries libelf and zlib are required as well.
+* Tracee's eBPF probe pre-compiled (see [eBPF compilation](install/ebpf-compilation.md) section for more info).
 
 # Permissions