Installing Tracee in Kubernetes¶
This guide will help you get started with Tracee by installing it in a Kubernetes cluster.
Prerequisites¶
- Supported environment - please refer to the Prerequisites
- Kubernetes - this was tested on minikube, but should work the same with most other Kubernetes distributions
- Helm
Verify step
kubectl get po -A
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system coredns-565d847f94-kd9xx 1/1 Running 0 15s
kube-system etcd-minikube 1/1 Running 0 26s
kube-system kube-apiserver-minikube 1/1 Running 0 26s
kube-system kube-controller-manager-minikube 1/1 Running 0 26s
kube-system kube-proxy-cvqjm 1/1 Running 0 15s
kube-system kube-scheduler-minikube 1/1 Running 0 26s
kube-system storage-provisioner 1/1 Running 0 15s
Install Tracee¶
The provided Helm chart will install Tracee as a DaemonSet so that it's tracing all the nodes in the cluster.
helm repo add aqua https://aquasecurity.github.io/helm-charts/
helm repo update
helm install tracee aqua/tracee --namespace tracee --create-namespace
Verify step
kubectl get pods -n tracee
NAME READY STATUS RESTARTS AGE
tracee-fcjmp 1/1 Running 0 4m11s
Once installed, Tracee immediately starts producing events. Since Tracee is deployed as a DaemonSet, a Tracee Pod is running on every node in the cluster. Every Tracee Pod is monitoring the node it is running on.
Viewing Events¶
The easiest way to tap into the log stream of all Tracee Pods is with the kubectl logs command:
kubectl logs -f daemonset/tracee -n tracee
Note
Tracee can produce a very high volume of events which could overwhelm kubectl's log collection command. If run in a busy cluster or with a verbose policy, this command might be slow or unresponsive.
In production scenario you would probably want to collect and ship events logs into a persistent storage that you can query.
You can use any log collection solution of your choosing. We have a tutorial on how to do this using the open source Grafana Stack here.
Applying Policies¶
By default, Tracee collects a basic set of events that gives you a general overview of the cluster. If you're looking to do more with Tracee, You might want to create a new Policy. A policy lets you capture specific set of events from a specific set of workloads. For example, if you have an application that you want to monitor more closely, or in a specialized way, you can create a policy scoped to that application, with a different set of events and filters applied. To learn more, please refer to the Events and Policies sections.
When you are ready to apply a policy, it's as easy as kubectl apply -f your-policy.yaml. More details here.
Configuring Tracee¶
In some cases you will need to configure Tracee to your preferences. For example, to change the output event format, or to set a different log level. To learn more about available configuration options please see the configuration section.
Tracee's configuration is accessible as a ConfigMap in Kubernetes. Since we installed Tracee with Helm, you can also configure Tracee with it, for example: helm upgrade tracee --set config.cache.size=1024. More details here.
Optional: Exercising a security event¶
To see Tracee in action, let's simulate a security event. We'll do a "file-less" execution, which is a common evasion technique used by some malware, and is flagged by Tracee as suspicious activity. To simulate this, we'll use the tracee-tester example image it will simulate the suspicious activity without harming your environment.
kubectl run tracee-tester --image=aquasec/tracee-tester -- TRC-105
You can see the event in the logs:
kubectl logs -f ds/tracee -n tracee | grep fileless_execution
Next steps¶
Familiarize with the different events, filters, and configuration options in the documentation.
Read other tutorials.
For help and support, feel free to use GitHub Discussions.
Video Content¶
If you prefer a video version of the Kubernetes installation guide, have a look at the following video:
Getting started with eBPF in Kubernetes - Tracee Installation Guide
