From Kernel to Kubernetes - Mapping eBPF-Detected Processes to Pods -

From Kernel to Kubernetes - Mapping eBPF-Detected Processes to Pods
- Yuki Nakamura | mapbox

What is Tetragon? eBPF-based tool for Kubernetes-aware security and observability
What it does: Collect kernel events using eBPF programs Block dangerous system calls in real-time Use cases: Process monitoring (e.g. detect privileged processes) Security enforcement (e.g. block access to sensitive files) Key point: It’s Kubernetes-aware Kernel Monitoring Hooks Kernel Events Kernel Tetragon Agent Kill / Override eBPF Programs

What does "Kubernetes-aware" mean? Tetragon enriches kernel events with Kubernetes
context Example: Process events with namespace and pod name Other Contexts: Image Labels Workload type, etc.

Challenge: Kernel doesn’t know Kubernetes The Problem: Two separate worlds
that don’t communicate Events Kernel Tetragon Agent eBPF Programs I don't know anything about the Kubernetes world... I cannot extract Kubernetes context from Kernel... kube-apiserver Question: How do we connect them?

Challenge: Kubernetes doesn’t know Kernel The flip side: kube-apiserver sees
pods, but not kernel events Events kube-apiserver I know everything about the Kubernetes context, but I don’t see the kernel context. Tetragon Agent eBPF Programs We need a bridge between these two worlds

Solution: Container Runtime The Bridge: Container runtime sits between kernel
and Kubernetes Events kube-apiserver Tetragon Agent eBPF Programs Hey, I can help you out! I know kernel context and container context. Container Runtime

Solution: Kernel to Pod Mapping The Chain: Three-step mapping connects
kernel to Kubernetes Events with CgroupID Pod info with ContainerID eBPF Programs CgroupID - ContainerID CgroupPath - ContainerID 1: eBPF extracts Cgroup ID from kernel events 2: Container Runtime maps Cgroup ID (Cgroup Path) → Container ID 3: kube-apiserver maps Container ID → Pod Info Note: Tetragon Agent converts Cgroup Path to Cgroup ID for matching

Runtime Integration How Tetragon captures the mapping: Uses runtime-specific hooks:
For cri-o: OCI hook For containerd: NRI plugin Process: 1. Container starts → hook runs 2. Hook gets Cgroup Path + Container ID 3. Sends data to Tetragon 4. Tetragon converts Cgroup Path to Cgroup ID 5. Keeps an in-memory mapping of Cgroup ID ↔ Container ID Trigger CgroupPath - ContainerID tetragon-oci-hook RuntimeHook API Tetragon Agent CgroupPath - ContainerID Subscribe tetragon-nri-hook RuntimeHook API Tetragon Agent CgroupID - ContainerID CgroupID - ContainerID

eBPF Side: Kernel Event Collection How eBPF programs get Cgroup
ID from kernel events Process: 1. Kernel event happens 2. eBPF program extracts Cgroup ID from task_struct 3. Sends event with Cgroup ID to Tetragon via eBPF Map Key eBPF helper functions: bpf_get_current_task() bpf_get_current_cgroup_id() Kernel eBPF Programs task_struct comm - char comm[] tgid - pid_t tgid pid - pid_t pid cgroups - struct css_set *cgroups ... Events with CgroupID eBPF Map Tetragon Agent

Kubernetes Side: Pod Information Cache How Tetragon gets Pod metadata
from Kubernetes Process: 1. Tetragon watches Kubernetes API server 2. Caches Pod information (pod name, namespace, labels) 3. Fast lookup: Container ID → Pod details Technology: client-go SharedIndexInformer Pod info with ContainerID kube-apiserver Pod Data Cache

Summary What Tetragon solved: Linking kernel events with Kubernetes context
Challenge: Kernel and Kubernetes don’t talk directly Solution: Three-step mapping chain Cgroup ID(Cgroup Path) → Container ID → Pod Info Container Runtime is the key bridge Events with CgroupID Pod info with ContainerID eBPF Programs CgroupID - ContainerID CgroupPath - ContainerID

Want to explore more? 🛠️ Projects My eBPF blog: eBPF,
Tetrgon, Aya(Rust eBPF Library) 🦀 tetragon-mini: Rewriting Tetragon in Rust 🐝 📚 References Tetragon PR: introduce policyfilter mechanism PR: pod mapping via cgroup ids

Appendix: Kubernetes-Scoped eBPF Actions Apply eBPF actions selectively - block
syscalls, monitor file access, or enforce policies based on kubernetes metadata. Configuration: Define rules in Tracing Policy Namespace filters Pod label selectors Container-level filters Kernel Monitoring Hooks Kernel Tetragon Agent Kill / Override eBPF Programs Perform actions conditionally, based on Kubernetes metadata

Appendix: Kubernetes-Scoped eBPF Actions How it works: Tetragon populates target
cgroups in an eBPF map, enabling conditional actions based on Kubernetes context. Pod Info with ContainerID Poclicy ID, CgroupID CgroupID, ContainerID Target cgroup Tracing Policy Kernel Monitoring Hooks Kill / Override Lookup

From Kernel to Kubernetes - Mapping eBPF-Detect...

From Kernel to Kubernetes - Mapping eBPF-Detected Processes to Pods -

Yuki Nakamura

More Decks by Yuki Nakamura

Featured

Transcript

From Kernel to Kubernetes - Mapping eBPF-Detected Processes to Pods

What is Tetragon? eBPF-based tool for Kubernetes-aware security and observability

What does "Kubernetes-aware" mean? Tetragon enriches kernel events with Kubernetes

Challenge: Kernel doesn’t know Kubernetes The Problem: Two separate worlds

Challenge: Kubernetes doesn’t know Kernel The flip side: kube-apiserver sees

Solution: Container Runtime The Bridge: Container runtime sits between kernel

Solution: Kernel to Pod Mapping The Chain: Three-step mapping connects

Runtime Integration How Tetragon captures the mapping: Uses runtime-specific hooks:

eBPF Side: Kernel Event Collection How eBPF programs get Cgroup

Kubernetes Side: Pod Information Cache How Tetragon gets Pod metadata

Summary What Tetragon solved: Linking kernel events with Kubernetes context

Want to explore more? 🛠️ Projects My eBPF blog: eBPF,

Appendix: Kubernetes-Scoped eBPF Actions Apply eBPF actions selectively - block

Appendix: Kubernetes-Scoped eBPF Actions How it works: Tetragon populates target