Privileged execution

Monitor process capabilities and kernel namespace access

Tetragon also provides the ability to check process capabilities and kernel namespaces access.

This information would help us determine which process or Kubernetes pod has started or gained access to privileges or host namespaces that it should not have. This would help us answer questions like:

Which Kubernetes pods are running with CAP_SYS_ADMIN in my cluster?

Which Kubernetes pods have host network or pid namespace access in my cluster?

Step 1: Enabling Process Credential and Namespace Monitoring

  • Edit the Tetragon configmap:

    kubectl edit cm -n kube-system tetragon-config
    
  • Set the following flags from “false” to “true”:

    # enable-process-cred: true
    # enable-process-ns: true
    
  • Save your changes and exit.

  • Restart the Tetragon daemonset:

    kubectl rollout restart -n kube-system ds/tetragon
    

Step 2: Deploying a Privileged Nginx Pod

  • Create a YAML file (e.g., privileged-nginx.yaml) with the following PodSpec:

    apiVersion: v1
    kind: Pod
    metadata:
      name: privileged-the-pod
    spec:
      hostPID: true
      hostNetwork: true
      containers:
      - name: privileged-the-pod
        image: nginx:latest
        ports:
        - containerPort: 80
        securityContext:
          privileged: true
    
  • Apply the configuration:

    kubectl apply -f privileged-nginx.yaml
    

Step 3: Monitoring with Tetragon

  • Start monitoring events from the privileged Nginx pod:

    kubectl logs -n kube-system -l app.kubernetes.io/name=tetragon -c export-stdout -f | tetra getevents --namespace default --pod privileged-the-pod
    
  • You should observe Tetragon generating events similar to these, indicating the privileged container start:

    🚀 process default/privileged-nginx /nginx -g daemon off;  🛑 CAP_SYS_ADMIN
    
Last modified February 20, 2024: docs: replace test-pod with nginx (e27bd32f)