Detect real-time malicious behavior in Kubernetes clusters

Learn why CISOs at the fastest growing companies choose Wiz to secure their Kubernetes workloads.

Using eBPF in Kubernetes: A security overview

eBPF provides deep visibility into network traffic and application performance while maintaining safety and efficiency by executing custom code in response to the kernel at runtime.

Wiz Experts Team
6 minutes read

eBPF is a game-changing kernel technology that’s transformed how we interact with operating systems. Initially designed for packet filtering and named the Berkeley Packet Filter, eBPF (extended BPF) has evolved into a powerful tool for running sandboxed programs within the kernel space, enabling developers to extend kernel functionality without modifying kernel source code. eBPF provides deep visibility into network traffic and application performance while maintaining safety and efficiency by executing custom code in response to the kernel at runtime.

In modern computing environments, eBPF programs have become essential for monitoring and securing complex systems and optimizing load balancing across Kubernetes clusters. So how does it work? 

Because eBPF operates at the kernel level, it observes and manipulates system behavior with minimal performance overhead (using eBPF maps to store and manage collected data). By hooking into various kernel tracepoints, functions, and events, eBPF provides insights into network activities, system calls, and other critical operations, enabling developers to troubleshoot issues, optimize performance, and enhance security.

eBPF’s capabilities are especially useful for the Kubernetes ecosystem. The de facto standard for container orchestration, Kubernetes presents unique challenges for monitoring and security due to its dynamic and ephemeral nature: Traditional monitoring tools often struggle to provide the granularity and real-time visibility required. Here, eBPF shines by offering outstanding insights into the kernel layer, capturing detailed data on network packets, application behavior, and system resource usage.

In this blog post, we'll explore how eBPF's integration into Kubernetes operations is reshaping the landscape of cloud-native security and observability. Let’s dive in.

The rise of eBPF in Kubernetes operations

From what we’ve seen, it’s no surprise that the growing adoption of eBPF within the Kubernetes ecosystem is driven by its ability to provide deep, low-overhead visibility into system and network activities. As Kubernetes evolves, eBPF's role in enhancing the resilience and reliability of cloud-native operations will continue to expand. Here’s a closer look at eBPF’s growing popularity.

Limitations of traditional monitoring tools

Traditional monitoring tools face significant challenges when managing complex systems like Kubernetes. Tools like ptrace or other kernel modules, still used in some solutions, provide limited real-time insights and may also struggle to keep up with the rapid changes in containerized environments, leading to blind spots in monitoring and security.

And because these tools often run in user space, they lack visibility into the kernel's internal operations. This gap further hinders effective management and observability, making detecting and diagnosing issues such as resource contention, anomalous behavior, and security threats difficult. 

Another challenge is the overhead associated with traditional monitoring approaches. Polling-based systems can introduce performance issues, consuming valuable CPU and memory resources that could otherwise be allocated to application workloads. Suboptimal performance is particularly problematic in Kubernetes environments, where efficient resource utilization is critical.

eBPF's deep visibility into Kubernetes

As previously mentioned, eBPF overcomes the limitations of traditional tools by providing comprehensive visibility into the kernel, enabling real-time monitoring and analysis of system activities. With eBPF, you can attach programs to specific kernel functions, tracepoints, or network events, capturing detailed insights into container and network activity.

For example, eBPF-based tools can monitor network packets at the kernel level, providing a granular view of network traffic within your Kubernetes clusters. With visibility into the kernel level, you can identify performance bottlenecks, troubleshoot network issues, and ensure compliance with network policies. Additionally, eBPF can trace system calls made by applications, offering insights into application behavior and resource usage.

Real-time monitoring is particularly valuable for enhancing security. eBPF can be used to enforce security policies, detect anomalous behavior, and prevent potential breaches by sandboxing suspicious code paths. For instance, eBPF can detect non-standard socket inputs, indicating a possible remote code execution (RCE) attack, or track attempts to access restricted files like /etc/shadow, helping to prevent data breaches and system compromises.

Here’s a quick summary of eBPF’s benefits:

BenefitDescription
Comprehensive network analysiseBPF enables detailed monitoring of network packets, identifying bottlenecks and traffic patterns.
Fine-grained system tracingeBPF traces system calls and kernel events, offering insights into application behavior.
Proactive threat detectioneBPF detects and mitigates security threats by monitoring and sandboxing suspicious activities.
Efficient resource allocationeBPF aids in optimizing the use of system resources within Kubernetes clusters.
Enhanced performance tuningeBPF provides real-time data to fine-tune application and system performance.
Dynamic policy enforcementeBPF enforces security and compliance policies directly at the kernel level.

Best practices for integrating eBPF in Kubernetes

1. Ensure kernel compatibility

Before deploying eBPF programs, first verify that your Linux kernel version supports eBPF

Not all kernel versions have the same level of eBPF support, and some features may be available only in newer kernels. Ensure kernel compatibility by checking that your Linux kernel version supports eBPF, which may involve loading kernel modules to enable necessary features.

Actionable Items:

  • Check the current kernel version.

  • Verify eBPF feature support using bpftool.

  • Update the kernel if necessary to ensure compatibility.

Here’s how to check your kernel version and eBPF support in your terminal:

# Check kernel version
uname -r

# Verify eBPF support
sudo apt-get install bpftool
sudo bpftool feature

2. Leverage existing tools and frameworks

Start by using established eBPF tools and frameworks, such as BCC (BPF Compiler Collection) or bpftrace, to trace and monitor system behavior. These tools provide a high-level interface for writing eBPF programs, making it easier to get started without diving deep into kernel code.

Actionable Items:

  • Install BCC and bpftrace on your Kubernetes nodes.

  • Use bpftrace to write and execute tracing scripts.

  • Utilize BCC tools to gather performance metrics.

Here’s sample code for tracing system calls with bpftrace:

sudo bpftrace -e 'tracepoint:syscalls:sys_enter_open { printf("filename: %s\n", str(args->filename)); }'

Use BCC to monitor network packets in Python with this code snippet:

from bcc import BPF

# Load BPF program
b = BPF(text="""
int kprobe__tcp_sendmsg(struct pt_regs *ctx) {
    bpf_trace_printk("tcp_sendmsg called\\n");
    return 0;
}
""")

# Print output
b.trace_print()

3. Use eBPF for targeted observability

Utilize eBPF to monitor specific aspects of system performance, such as networking, security, and application behavior. Attaching eBPF programs to kernel tracepoints, kprobes, or uprobe events allows you to collect data on system calls, network packets, or function calls in user space applications, providing deep insights with minimal overhead.

Actionable Items:

  • Identify critical performance metrics, such as CPU usage, memory, network latency, and I/O operations.

  • Develop custom eBPF programs using BCC or bpftrace to capture these metrics.

  • Deploy eBPF programs using Kubernetes DaemonSets, managing scripts via ConfigMaps or secrets.

  • Visualize and analyze data using Grafana and Prometheus, setting up dashboards and alerts for real-time monitoring.

Use this code to trace network packets with eBPF in Python:

from bcc import BPF

# Load BPF program to trace network packets
b = BPF(text="""
#include <uapi/linux/ptrace.h>
#include <linux/skbuff.h>
#include <net/sock.h>
#include <bcc/proto.h>

int trace_net_packets(struct pt_regs *ctx, struct sk_buff *skb) {
    u32 len = skb->len;
    bpf_trace_printk("Packet length: %d\\n", len);
    return 0;
}
""")

# Attach to function
b.attach_kprobe(event="netif_receive_skb", fn_name="trace_net_packets")

# Print output
b.trace_print()

4. Integrate eBPF with existing security policies

Enhance your Kubernetes security by integrating eBPF with your existing security policies. Use eBPF to enforce network policies, detect anomalous behaviors, and prevent security breaches by sandboxing suspicious code paths before they execute.

Actionable Items:

  • Define security policies, such as network access controls, syscall monitoring, and suspicious activity detection.

  • Develop eBPF programs that monitor and enforce these security policies.

  • Deploy the eBPF programs using Kubernetes DaemonSets and manage them via ConfigMaps or secrets.

  • Continuously monitor the effectiveness of eBPF programs, updating and refining them as necessary to address emerging threats.

Here’s an example of enforcing network policies with eBPF in Python:

from bcc import BPF

# Load BPF program to enforce network policies
b = BPF(text="""
#include <uapi/linux/ptrace.h>
#include <net/sock.h>
#include <bcc/proto.h>

int enforce_network_policy(struct pt_regs *ctx, struct sock *sk) {
    u16 dport = sk->__sk_common.skc_dport;
    
    // Example: Block port 80
    if (dport == ntohs(80)) {
        bpf_trace_printk("Blocked connection to port 80\\n");
        return -1; // Block the connection
    }
    return 0; // Allow the connection
}
""")

# Attach to function
b.attach_kprobe(event="tcp_v4_connect", fn_name="enforce_network_policy")

# Print output
b.trace_print()

Implementing these best practices will help you make the most of eBPF in your Kubernetes environment in order to enhance observability, enforce security policies, and optimize performance.

Wiz: A comprehensive Kubernetes security solution

By integrating eBPF in Kubernetes, you can achieve a new level of security and observability, ensuring your containerized applications run smoothly and securely. Embrace eBPF technology to optimize your Kubernetes operations and stay ahead in the ever-evolving landscape of cloud computing. 

But remember: You don’t have to secure your Kubernetes ecosystem alone. Wiz is a comprehensive security platform that offers complete visibility and enhanced security for your Kubernetes clusters through agentless scanning. eBPF is used to augment Wiz's API scanning by validating vulnerabilities at runtime and adding real-time signals for threat detection and response. This defense-in-depth strategy covers prevention to detection, providing robust security. Wiz offers these key features:

  • Comprehensive visibility: Obtain detailed insights into all container and network activities.

  • Regulatory compliance: Meet industry standards and regulatory requirements effortlessly.

  • Kubernetes security posture management (KSPM): Perform agentless scans to uncover misconfigurations, secrets, vulnerabilities, and more.

  • Continuous monitoring: Utilize real-time signals and event correlations from containers, hosts, control planes, and the cloud to maintain a thorough understanding of the attack surface.

  • Proactive detection and response: Efficiently detect and address potential security threats.

Request a demo today and discover how Wiz helps you secure your Kubernetes clusters with the latest technologies, including eBPF!

Empower your developers to be more productive, from code to production

Learn why the fastest growing companies choose Wiz to secure containers, Kubernetes, and cloud environments from build-time to real-time.

Get a demo 

Continue reading

What Is Shadow IT? Causes, Risks, and Examples

Wiz Experts Team

Shadow IT is an employee’s unauthorized use of IT services, applications, and resources that aren’t controlled by—or visible to—an organization’s IT department.

What is API Security?

API security encompasses the strategies, procedures, and solutions employed to defend APIs against threats, vulnerabilities, and unauthorized intrusion.

What is Data Classification?

Wiz Experts Team

In this post, we’ll explore some of the challenges that can complicate cloud data classification, along with the benefits that come with this crucial step—and how a DSPM tool can help make the entire process much simpler.