Skip to content
/ bpf-go-daemonset-template Public template

A GitHub template repository with the scaffolding for eBPF programs that are run on a Kubernetes cluster nodes.

2 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Soil-Security/bpf-go-daemonset-template

BranchesTags

Repository files navigation

bpf-go-daemonset-template

A GitHub template repository with the scaffolding for a BPF sensor that is run on a Kubernetes cluster, i.e. deployed as a DaemonSet on each cluster node. The BPF program traces execve(2) system calls and sends events from kernel to user space through a BPF ring buffer, and prints them to the standard output. The BPF sensor is written in C with libbpf/libbpf and is compiled with LLVM and Clang. BPF objects are loaded and managed from user space with cilium/ebpf.

Quick Start with kind

  1. Install kind: 
    curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.24.0/kind-linux-amd64
chmod +x ./kind
sudo mv ./kind /usr/bin/
kind version
  2. Create a test cluster and wait until its node is ready: 
    kind create cluster \
  --image="kindest/node:v1.30.4@sha256:976ea815844d5fa93be213437e3ff5754cd599b040946b5cca43ca45c2047114"

    $ kubectl get node
NAME                 STATUS   ROLES           AGE   VERSION
kind-control-plane   Ready    control-plane   57s   v1.30.4
  3. Compile sources and build the docker container image: 
    git clone --recurse-submodules https://github.com/Soil-Security/bpf-go-daemonset-template.git
cd bpf-go-daemonset-template

    make image
  4. Load the docker container image from host into all cluster nodes: 
    kind load docker-image danielpacak/bpf-go-daemonset-template:latest
  5. Deploy the BPF sensor as a DaemonSet and wait until it's rolled out successfully: 
    kubectl apply -f deploy/kubernetes/all.yml

    $ kubectl rollout status ds -n bpf-daemonset bpf-daemonset
daemon set "bpf-daemonset" successfully rolled out
  6. Fetch events generated by the BPF sensor: 
    $ kubectl logs -f -n bpf-daemonset daemonset/bpf-daemonset
BPF daemon started
{"Pid":46947,"PPid":1293,"Comm":"xfce4-panel-gen","Uid":1000,"Args":["/usr/share/kali-themes/xfce4-panel-genmon-vpnip.sh"]}
{"Pid":46949,"PPid":46948,"Comm":"ip","Uid":1000,"Args":["/usr/sbin/ip","tuntap","show"]}
{"Pid":46950,"PPid":46948,"Comm":"cut","Uid":1000,"Args":["/usr/bin/cut","-d",":","-f1"]}
{"Pid":46951,"PPid":46948,"Comm":"head","Uid":1000,"Args":["/usr/bin/head","-n","1"]}
[...]
  7. Delete the DaemonSet: 
    kubectl delete -f deploy/kubernetes/all.yml
  8. Delete the test cluster: 
    kind cluster delete

About

A GitHub template repository with the scaffolding for eBPF programs that are run on a Kubernetes cluster nodes.

Topics

kubernetes template ebpf daemonset

Resources

Readme
Activity
Custom properties

Stars

2 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

2 tags

Languages
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy