Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Question] How to collect process_connect process_close and process_listen events #178

Closed
Taction opened this issue Jun 20, 2022 · 3 comments
Closed

[Question] How to collect process_connect process_close and process_listen events #178

Taction opened this issue Jun 20, 2022 · 3 comments

Comments

@Taction
Copy link
Contributor

Taction commented Jun 20, 2022

I've seen the four golden signlas here: https://github.com/cilium/tetragon/tree/main/docs/security-observability-with-ebpf/03_chapter/00_four_golden_signals . But there are only tutorials about how to collect "PROCESS_EXEC", "PROCESS_EXIT", "PROCESS_KPROBE" events.
I want to know how to collect process_connect process_close and process_listen events, any help would be appreciated!

Here is my tetragon configmap:

kubectl get cm -n kube-system tetragon-config -o yaml
apiVersion: v1
data:
  enable-k8s-api: "true"
  enable-process-cred: "false"
  enable-process-ns: "false"
  export-allowlist: '{"event_set":["PROCESS_EXEC", "PROCESS_EXIT", "PROCESS_KPROBE",
    "PROCESS_TRACEPOINT"]}'
  export-denylist: |-
    {"health_check":true}
    {"namespace":["", "cilium", "kube-system"]}
  export-file-compress: "false"
  export-file-max-backups: "5"
  export-file-max-size-mb: "10"
  export-filename: /var/run/cilium/tetragon/tetragon.log
  export-rate-limit: "-1"
  metrics-server: :2112
  process-cache-size: "65536"
  procfs: /procRoot
kind: ConfigMap
metadata:
  annotations:
    meta.helm.sh/release-name: tetragon
    meta.helm.sh/release-namespace: kube-system
  creationTimestamp: "2022-06-15T01:45:41Z"
  labels:
    app.kubernetes.io/instance: tetragon
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: tetragon
    helm.sh/chart: tetragon-0.8.0
  name: tetragon-config
  namespace: kube-system
  resourceVersion: "20294151"
  uid: 1749b71a-e54f-4c4f-9eb8-881c73bf4841
@Furisto
Copy link
Contributor

Furisto commented Jun 20, 2022

I do not think this is implemented in the open source version of tetragon. Here is how I have done it:

apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: "connect"
spec:
  kprobes:
  - call: "tcp_connect"
    syscall: false
    args:
     - index: 0
       type: "sock"
  - call: "tcp_close"
    syscall: false
    args:
     - index: 0
       type: "sock"

@Taction
Copy link
Contributor Author

Taction commented Jun 20, 2022

@Furisto Thank you for the explanation and example!

@willfindlay
Copy link
Contributor

Just dropping in to confirm that those are not in the OSS version. The workaround suggested by @Furisto is a good way to approximate these with what we have in OSS.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Taction @Furisto @willfindlay