Skip to content

Installing Tracee in Kubernetes

This guide will help you get started with Tracee by installing it in a Kubernetes cluster.

Prerequisites

  • Supported environment - please refer to the Prerequisites
  • Kubernetes - this was tested on minikube, but should work the same with most other Kubernetes distributions
  • Helm
Verify step
kubectl get po -A
NAMESPACE     NAME                               READY   STATUS    RESTARTS   AGE 
kube-system   coredns-565d847f94-kd9xx           1/1     Running   0          15s 
kube-system   etcd-minikube                      1/1     Running   0          26s 
kube-system   kube-apiserver-minikube            1/1     Running   0          26s 
kube-system   kube-controller-manager-minikube   1/1     Running   0          26s 
kube-system   kube-proxy-cvqjm                   1/1     Running   0          15s 
kube-system   kube-scheduler-minikube            1/1     Running   0          26s 
kube-system   storage-provisioner                1/1     Running   0          15s 

Install Tracee

The provided Helm chart will install Tracee as a DaemonSet so that it's tracing all the nodes in the cluster.

helm repo add aqua https://aquasecurity.github.io/helm-charts/
helm repo update
helm install tracee aqua/tracee --namespace tracee --create-namespace
Verify step
kubectl get pods -n tracee
NAME           READY   STATUS    RESTARTS   AGE 
tracee-fcjmp   1/1     Running   0          4m11s

Once installed, Tracee immediately starts producing events. Since Tracee is deployed as a DaemonSet, a Tracee Pod is running on every node in the cluster. Every Tracee Pod is monitoring the node it is running on.

Viewing Events

The easiest way to tap into the log stream of all Tracee Pods is with the kubectl logs command:

kubectl logs -f daemonset/tracee -n tracee

Note

Tracee can produce a very high volume of events which could overwhelm kubectl's log collection command. If run in a busy cluster or with a verbose policy, this command might be slow or unresponsive.

In production scenario you would probably want to collect and ship events logs into a persistent storage that you can query.
You can use any log collection solution of your choosing. We have a tutorial on how to do this using the open source Graphana Stack here.

Applying Policies

By default, Tracee collects a basic set of events that gives you a general overview of the cluster. If you're looking to do more with Tracee, You might want to create a new Policy. A policy lets you capture specific set of events from a specific set of workloads. For example, if you have an application that you want to monitor more closely, or in a specialized way, you can create a policy scoped to that application, with a different set of events and filters applied. To learn more, please refer to the Events and Policies sections.

When you are ready to apply a policy, it's as easy as kubectl apply -f your-policy.yaml. More details here.

Configuring Tracee

In some cases you will need to configure Tracee to your preferences. For example, to change the output event format, or to set a different log level. To learn more about available configuration options please see the configuration section.

Tracee's configuration is accessible as a ConfigMap in Kubernetes. Since we installed Tracee with Helm, you can also configure Tracee with it, for example: helm upgrade tracee --set config.cache.size=1024. More details here.

Optional: Exercising a security event

To see Tracee in action, let's simulate a security event. We'll do a "file-less" execution, which is a common evasion technique used by some malware, and is flagged by Tracee as suspicious activity. To simulate this, we'll use the tracee-tester example image it will simulate the suspicious activity without harming your environment.

kubectl run tracee-tester --image=aquasec/tracee-tester -- TRC-105

You can see the event in the logs:

kubectl logs -f ds/tracee -n tracee | grep fileless_execution 

Next steps

Familiarize with the different events, filters, and configuration options in the documentation.

Read other tutorials.

For help and support, feel free to use GitHub Discussions.

Video Content

If you prefer a video version of the Kubernetes installation guide, have a look at the following video:

Getting started with eBPF in Kubernetes - Tracee Installation Guide

Watch the video