eBPF
  • 09 Jun 2022
  • 3 Minutes to read

eBPF


Linux divides its memory space into two areas, kernel space and user space. Kernel space is where the core of the operating system resides. The kernel space has unrestricted access to all the hardware, that is, memory, CPU, storage, and so on. The user space is the space where user applications are run. The user space code has limited direct access to hardware and relies on kernel space to complete its operation. eBPF (extended Berkley Packet Filter) is a mechanism for writing code that can be executed in the Linux kernel space. eBPF allows you to package the user space application logic to be executed in the Linux kernel space as bytecode. 

Traceable provides an eBPF solution that attaches probes to kernel functions and collects the data. The probes are attached to the functions which get executed during any network socket transaction, like pen, connect, read, write, and close calls. Based on parameters, Traceable decides whether to collect data or not.

Note:
Request blocking is not supported with eBPF Traceable agent deployment.

The following diagram shows a high-level flow of how the Traceable's eBPF collection based solution works:



Before you begin

Make sure that the following prerequisites are met to install eBPF based Traceable agent. 

  • Linux kernel - The underlying Linux kernel should be 4.18 or later with BTF (BTP Type Format) enabled.
  • Kernel build - Linux kernel built with CONFIG_DEBUG_INFO_BTF=y option.
  • Capabilities - SYS_PTRACE and SYS_ADMIN capabilities in Kubernetes.
  • Traceable agent - Traceable agent 1.19.2 or later.
  • Traceable access token - In Traceable platform (UI), navigate to Administration (image-1638268402925) > Access Token and click on Generate Agent Token. Copy the token.
  • Privileged user - The deployment requires privileged user access.
Note
Since eBPF solution works at the kernel level interception of traffic, therefore, no specific ports need to be opened for installing Traceable's agent.

Installation

Complete the following steps to install Traceable agent for eBPF:

  1. Create a traceableai namespace.
    ActionScript
    kubectl create namespace traceableai
  2. Define a sample values.yml file to install the agent. for example:
    YAML
    token: <>
    environment: <>
    runAsDaemonSet: true
    daemonSetMirroringEnabled: true
    ebpfCaptureEnabled: true
    ebpfRunAsPrivileged: true
    Paste the access token that you copied from the Traceable platform in the token field.
    Note
    If you set ebpfCaptureEnabled as false, the solution works as normal DaemonSet mirroring.
  3. Run the following command to install Traceable agent in daemonset mode:
    YAML
    helm repo add traceableai https://helm.traceable.ai
    helm repo update
    helm install --namespace traceableai traceable-agent traceableai/traceable-agent --values values.yaml
  4. Verify that Traceable agent pods are created. Enter the following command:
    YAML
    % kubectl get pods -n traceableai
    NAME                    READY   STATUS    RESTARTS   AGE
    traceable-agent-49nh9   2/2     Running   0          49s
    The output of the get pods command would differ based on your deployment environment.

You can also verify a successful installation by navigating to API Catalog > Services and check for ebpf in the traceable.module.name field as shown in the screenshot below.


Enable or disable mirroring

To enable mirroring, complete the following steps:

Enable mirroring for a namespace

To enable mirroring for a namespace, enter the following command:

kubectl label ns <namespace> traceableai-mirror=enabled

Disable mirroring for a namespace

To disable mirroring for a namespace, enter the following command:

kubectl label ns <namespace> traceableai-mirror=disabled

Disable mirroring for a pod

To disable mirroring for a pod, set the pod annotation mirror.traceable.ai/enabled to false.

kubectl patch deployment <deployment> -n <namespace> -p '{"spec": {"template":{"metadata":{"annotations":{"mirror.traceable.ai/enabled":"false"}}}} }'

Set the mirroring mode

The default mirroring pod is ingress. If you want to capture egress traffic, enter the following:

For a pod 

To capture the egress traffic Set the mirror.traceable.ai/mode to egress.

kubectl patch deployment <deployment> -n <namespace> -p '{"spec": {"template":{"metadata":{"annotations":{"mirror.traceable.ai/mode":"egress"}}}} }'

For a namespace

To capture egress traffic at the namespace level, set the annotation mirror.traceable.ai/defaultMode to egress.

kubectl annotate namespace <NAMESPACE> mirror.traceable.ai/defaultMode=egress

Upgrade

You can upgrade the Traceable agent in Kubernetes using the following Helm commands:

  1. Update helm charts by entering the following command:
    ActionScript
    ActionScript
    helm repo update traceableai
  2. Enter the following command to upgrade Traceable agent to the latest version:
    ActionScript
    ActionScript
    helm upgrade traceable-agent --namespace traceableai traceableai/traceable-agent

Uninstall

Enter the following command to uninstall the Platform agent using Helm:

ActionScript
helm uninstall traceable-agent --namespace traceableai



Was this article helpful?


What's Next