Getting started with Tetragon

Inspect Tracingpolicy

kubectl api-resources

kubectl explain tracingpolicy.spec.kprobes

First deploy the policy and a busybox to play around with:

kubectl apply -f ../src/cat-kill.yaml

kubectl run -i --tty busybox-$RANDOM --image=busybox --restart=Never -- sh

Then, try to read a file:

echo "test" > /tmp/myfile
cat /tmp/myfile
less /tmp/myfile

Review the logs:

kubectl logs -n kube-system -l app.kubernetes.io/name=tetragon -c export-stdout | tetra getevents -o compact

Again deploy the policy and a busybox (this time with --privileged=true):

kubectl apply -f ../src/mount-deny.yaml

kubectl run -i --tty busybox-$RANDOM --image=busybox --restart=Never --privileged=true -- sh

Now, try to write a file:

mkdir -p /mnt/host
mount /dev/sda1 /mnt/host
mount

Review the logs:

kubectl logs -n kube-system -l app.kubernetes.io/name=tetragon -c export-stdout | tetra getevents -o compact

Next deploy the policy and another a busybox:

kubectl apply -f ../src/write-file-deny.yaml

kubectl run -i --tty busybox-$RANDOM --image=busybox --restart=Never -- sh

Now, try to write a file:

echo "test" >> /tmp/test
echo "test" > /tmp/testfile

Review the logs:

kubectl logs -n kube-system -l app.kubernetes.io/name=tetragon -c export-stdout | tetra getevents -o compact