Description

eBPF has become an emerging technology in security field. However, there are still some challenges to be overcome.

In an IT environment, a security engineer often needs to manage security tools and their policies on multiple systems, e.g., laptops or kubernetes clusters. In this case, the permission to change/disable these tools is considered as a separate permission, and these settings can't be modified by a local administrator.

However, using an ebpf program in a kubernetes environment is a different story.

While the RBAC authorization can be used to define what users can read/write what kind of kubernetes resources, in the host level, there is no isolation in kernel/eBPF levels, which means a local administrator can easily change/disable these security tool directly from host level or a privileged container.

Thanks to this talk in Linux Security Summit this year, it's technically possible to prevent unauthorized eBPF map access, but this requires a single-purposed rule engine and a new tech stack.

The idea is to try this via the CNCF project, Tetragon. This comes with a few benefits:

• Tetragon is a CNCF project.

• Tetragon offers a common rule engine that users can use.

• It provides different options to enforce a policy, including using kprobe + kmod_ret on platforms without BPF LSM.

Goals

Provide a POC to prevent eBPF maps from being modified from host level and from another privileged container using a Tetragon policy.

Resources

Currently only me.