Privileged execution

Monitor process capabilities and kernel namespace access

Tetragon also provides the ability to check process capabilities and kernel namespaces access.

This information would help us determine which process or Kubernetes pod has started or gained access to privileges or host namespaces that it should not have. This would help us answer questions like:

Which Kubernetes pods are running with CAP_SYS_ADMIN in my cluster?

Which Kubernetes pods have host network or pid namespace access in my cluster?

Step 1: Enabling Process Credential and Namespace Monitoring

Edit the Tetragon configmap:

kubectl edit cm -n kube-system tetragon-config

Set the following flags from “false” to “true”:

# enable-process-cred: true
# enable-process-ns: true

Save your changes and exit.

Restart the Tetragon daemonset:

kubectl rollout restart -n kube-system ds/tetragon

Step 2: Deploying a Privileged Nginx Pod

Create a YAML file (e.g., privileged-nginx.yaml) with the following PodSpec:

apiVersion: v1
kind: Pod
metadata:
  name: privileged-the-pod
spec:
  hostPID: true
  hostNetwork: true
  containers:
  - name: privileged-the-pod
    image: nginx:latest
    ports:
    - containerPort: 80
    securityContext:
      privileged: true

Apply the configuration:
```
kubectl apply -f privileged-nginx.yaml
```

Step 3: Monitoring with Tetragon

Start monitoring events from the privileged Nginx pod:

kubectl logs -n kube-system -l app.kubernetes.io/name=tetragon -c export-stdout -f | tetra getevents --namespace default --pod privileged-the-pod

You should observe Tetragon generating events similar to these, indicating the privileged container start:
```
🚀 process default/privileged-nginx /nginx -g daemon off;  🛑 CAP_SYS_ADMIN
```

Last modified February 20, 2024: docs: replace test-pod with nginx (e27bd32f5)