Slide 1

Slide 1 text

From Kernel to Kubernetes - Mapping eBPF-Detected Processes to Pods - Yuki Nakamura | mapbox

Slide 2

Slide 2 text

What is Tetragon? eBPF-based tool for Kubernetes-aware security and observability What it does: Collect kernel events using eBPF programs Block dangerous system calls in real-time Use cases: Process monitoring (e.g. detect privileged processes) Security enforcement (e.g. block access to sensitive files) Key point: It’s Kubernetes-aware Kernel Monitoring Hooks Kernel Events Kernel Tetragon Agent Kill / Override eBPF Programs

Slide 3

Slide 3 text

What does "Kubernetes-aware" mean? Tetragon enriches kernel events with Kubernetes context Example: Process events with namespace and pod name Other Contexts: Image Labels Workload type, etc.

Slide 4

Slide 4 text

Challenge: Kernel doesn’t know Kubernetes The Problem: Two separate worlds that don’t communicate Events Kernel Tetragon Agent eBPF Programs I don't know anything about the Kubernetes world... I cannot extract Kubernetes context from Kernel... kube-apiserver Question: How do we connect them?

Slide 5

Slide 5 text

Challenge: Kubernetes doesn’t know Kernel The flip side: kube-apiserver sees pods, but not kernel events Events kube-apiserver I know everything about the Kubernetes context, but I don’t see the kernel context. Tetragon Agent eBPF Programs We need a bridge between these two worlds

Slide 6

Slide 6 text

Solution: Container Runtime The Bridge: Container runtime sits between kernel and Kubernetes Events kube-apiserver Tetragon Agent eBPF Programs Hey, I can help you out! I know kernel context and container context. Container Runtime

Slide 7

Slide 7 text

Solution: Kernel to Pod Mapping The Chain: Three-step mapping connects kernel to Kubernetes Events with CgroupID Pod info with ContainerID eBPF Programs CgroupID - ContainerID CgroupPath - ContainerID 1: eBPF extracts Cgroup ID from kernel events 2: Container Runtime maps Cgroup ID (Cgroup Path) → Container ID 3: kube-apiserver maps Container ID → Pod Info Note: Tetragon Agent converts Cgroup Path to Cgroup ID for matching

Slide 8

Slide 8 text

Runtime Integration How Tetragon captures the mapping: Uses runtime-specific hooks: For cri-o: OCI hook For containerd: NRI plugin Process: 1. Container starts → hook runs 2. Hook gets Cgroup Path + Container ID 3. Sends data to Tetragon 4. Tetragon converts Cgroup Path to Cgroup ID 5. Keeps an in-memory mapping of Cgroup ID ↔ Container ID Trigger CgroupPath - ContainerID tetragon-oci-hook RuntimeHook API Tetragon Agent CgroupPath - ContainerID Subscribe tetragon-nri-hook RuntimeHook API Tetragon Agent CgroupID - ContainerID CgroupID - ContainerID

Slide 9

Slide 9 text

eBPF Side: Kernel Event Collection How eBPF programs get Cgroup ID from kernel events Process: 1. Kernel event happens 2. eBPF program extracts Cgroup ID from task_struct 3. Sends event with Cgroup ID to Tetragon via eBPF Map Key eBPF helper functions: bpf_get_current_task() bpf_get_current_cgroup_id() Kernel eBPF Programs task_struct comm - char comm[] tgid - pid_t tgid pid - pid_t pid cgroups - struct css_set *cgroups ... Events with CgroupID eBPF Map Tetragon Agent

Slide 10

Slide 10 text

Kubernetes Side: Pod Information Cache How Tetragon gets Pod metadata from Kubernetes Process: 1. Tetragon watches Kubernetes API server 2. Caches Pod information (pod name, namespace, labels) 3. Fast lookup: Container ID → Pod details Technology: client-go SharedIndexInformer Pod info with ContainerID kube-apiserver Pod Data Cache

Slide 11

Slide 11 text

Summary What Tetragon solved: Linking kernel events with Kubernetes context Challenge: Kernel and Kubernetes don’t talk directly Solution: Three-step mapping chain Cgroup ID(Cgroup Path) → Container ID → Pod Info Container Runtime is the key bridge Events with CgroupID Pod info with ContainerID eBPF Programs CgroupID - ContainerID CgroupPath - ContainerID

Slide 12

Slide 12 text

Want to explore more? 🛠️ Projects My eBPF blog: eBPF, Tetrgon, Aya(Rust eBPF Library) 🦀 tetragon-mini: Rewriting Tetragon in Rust 🐝 📚 References Tetragon PR: introduce policyfilter mechanism PR: pod mapping via cgroup ids

Slide 13

Slide 13 text

No content

Slide 14

Slide 14 text

Appendix: Kubernetes-Scoped eBPF Actions Apply eBPF actions selectively - block syscalls, monitor file access, or enforce policies based on kubernetes metadata. Configuration: Define rules in Tracing Policy Namespace filters Pod label selectors Container-level filters Kernel Monitoring Hooks Kernel Tetragon Agent Kill / Override eBPF Programs Perform actions conditionally, based on Kubernetes metadata

Slide 15

Slide 15 text

Appendix: Kubernetes-Scoped eBPF Actions How it works: Tetragon populates target cgroups in an eBPF map, enabling conditional actions based on Kubernetes context. Pod Info with ContainerID Poclicy ID, CgroupID CgroupID, ContainerID Target cgroup Tracing Policy Kernel Monitoring Hooks Kill / Override Lookup