►
From YouTube: CNL: Intro to Tetragon
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Thank
you
so
welcome
to
cloud95,
where
we
dive
into
the
code
behind
Cloud
native
I
am
Mohamed
and
I'm
a
sensitive
Ambassador.
So
I
will
be
your
host
Tonight.
Every
week
we
bring
a
new
set
of
present.
There
is
to
Showcase
how
to
work
and
with
Cloud
native
Technologies
they
will
build
things,
they
will
break
things
and
they
will
answer
your
questions
in
today's
session.
I'm
stoked
to
introduce
mahim
security
engineer
at
isovalent,
who
will
be
presenting.
A
Best
security,
observability
and
runtime
enforcement:
this
is
an
official
live
stream
of
the
cncf
and,
as
search
is
subject
to
the
CSF
core
of
contact,
so
please
do
not
add
anything
to
the
chat
or
question
that
would
be
in
violation
of
the
code
of
format.
Basically,
please
be
respectful
to
all
of
your
fellow
participants
and
presenters
so
with
that
I
will
hand
it
over
to
mahe
to
kick
off
today's
present
page.
Okay.
Let's
add
five,
so
hey
my
hair.
How
are
you.
B
Hello,
thank
you
for
the
introductions
yeah.
So
as
as,
as
I
was
introduced,
I'm
working
at
isolent
I'm
part
of
the
tetragon
team,
and
today
we
are
going
to
speak
about
tetragon
in
general
and
do
a
little
introduction
to
the
dragon
with
some
nice
demos,
I
hope
that
will
work.
So
maybe
we
can
start
the
session
by
I
can
share
my
screen
and
show
around
the
project.
A
B
Thanks
so
yeah,
so
as
it
was
introduced
like
tetragon,
is
an
ebpf
base,
60
or
70
in
runtime
enforcement
software,
and
we
have
like
I,
think
the
entry
point
for
the
project
is
the
indicator
repository.
So
this
is
the
repository.
You
have
plenty
of
information
here
and
we
have
this
big
readme
that
has
been.
We
worked
very
recently
in
this
into
this
new
website.
B
So
if
you
want
to
learn
about
tetragon
in
general,
please
stay
in
this
session,
but
you
can
go
to
the
websites
you
have
some
information
about
who
is
using
tetragon?
What
does
it
do?
How
does
it
work
and
more
videos
for
in-depth
learning
about
tetragon,
so
yeah
in
in
general,
like
let's,
let's
involve
your
tetragon,
so
tetragon
is
an
agent
which
is
the
user
space
site.
B
So
we
have
the
tetragon
agent
running
on
each
node
of
documentaries
clusters
when
you
deploy
tetragon
and
kubernetes
clusters,
and
we
have
a
part
of
the
dragon
that
is
running
inside
the
Linux
kernel,
which
is
the
BPF
programs
which
are
the
BBF
programs.
So
with
those
programs
you
can
basically
hook
into
pretty
much
anything
in
the
Linux
kernel
and
you
can
observe
a
process,
execution,
Cisco
activity
and
all
these
examples
that
were
written
on
this
page.
So
the
good
thing
about
tetragon
is
that
it's
kubernetes
aware.
B
So
the
idea
is
to
deploy
the
dragon
on
your
kubernetes
cluster.
It's
the
stuff.
We
are
going
to
do
on
the
demonstration
and
then
you
can
observe
what's
happening
inside
of
your
application
and
just
show
your
parts.
So
you
can
get
all
this
information,
so
I
think
to
kick
start
yeah.
Maybe
we
should.
We
should
start
by
to
the
first
demonstration
Maybe
if
it's
fine,
yeah,
sure
yeah,
so
I
have
prepared
this
little
setup.
So
here
I
have
a
green
index.
Cluster
is
running,
so
it's
actually
deployed
on
AWS
but
never
mind.
B
I
I
just
installed
cilium
on
it,
so
it
was
just
because
I
like
I
wanted
actually
tetragon
has.
No,
you
don't
need
to
run
cilium
to
run
tetragon.
They
are
completely
independent.
So
first
things
we
are
first
thing
we
are
going
to
do
today
is
to
install
the
dragon.
So
you
can
use
the
electrical
and
charts
and
install
the
dragon
with
the
basic
default.
Just
like
that.
So
if
you
install
the
dragon,
you
will
get
a
few
parts,
so
you'll
get
sorry.
B
Okay,
so
yeah,
we
just
have
the
starting
logs
of
tetragon,
and
the
first
thing
I
want
to
show
you
is
that
basically,
the
the
the
first
thing
by
default
that
tetragon
can
do
is
to
observe
the
process
execution
of
what's
happening
inside
of
your
cluster.
So
this
is
the
first
use
case
in
the
documentation
and
the
ID
is
to
get
events
from
tetragon
in
a
way
to
observe
when
process
is
starting
and
process
are
exiting.
So
I
will
try
to
show
you
that
so
here
the
dragon
started
by
default.
A
B
All
right
so,
for
example,
you
can
see
on
on
the
line
in
loading
BPF
program.
You
have
the
BPF
exit
before
so
we
have
already
a
few
BPF
programs,
so
BPF,
some
BPF,
Maps
and
tetragon
is
already
able
to
to
listen
to
create
some
event
around
the
execution.
So,
let's,
let's,
let's
do
that.
So,
for
example,
let's
create
a
code
in
the
default
name
space.
So,
let's
create
a
part
that
does
basically
nothing
we'll
just
create
a
board
that
sleeps
with
the
Ubuntu
image.
So
to
see
the
dragon
events.
B
Here,
you
are
seeing
the
logs
of
the
tetragon
agent,
the
demon,
but
if
you
want
to
see
the
events,
you
can
basically
do
just
like
that,
like
that
and
it
defaults
to
the
Xbox
360
layout,
which
is
a
container
inside
of
the
deployment
that
just
basically
tail
the
output
file
for
the
events.
So
here,
if
we
run
this
pod
into
the
default
namespace
just
line
up,
so
it's
creating
and
we
should
see
that
something
happened
here.
B
So
we
add
our
first
event:
tetragon
be
detected
like
an
execution
and
the
reason
why
you
don't
see
a
lot
of
execution
going
inside
of
the
cluster
right
now
is
that
that
petrogon
is,
is
filtering
the
pods,
sorry,
so
yeah.
You
only
see
the
the
events
of
the
execution
of
pods
in
the
default
namespace,
because
the
dragon
is
filtering
on
the
on
the
namespace
and
you
don't
see
any
activity
for
the
cube
system.
B
Namespace,
which
is
the
one
in
which
tetragon
is
installed
in
this
spot,
are
installed,
but
if
we
retrieve
evolved
from
default,
you
can
see
the
what
name
sleepy
here
and
we
have
the
process.
So,
let's
dive
into
this
this
event
to
learn
a
little
bit
more
about
what
tetragon
told
us.
B
So
what
we
end
up
is
with
an
event
called
a
process
exec.
So
we
see
that
some
process
started
into
some
pods,
so
we
can
retrieve
the
most
of
the
Linux
needed
information,
the
PID,
the
uid
that
started
this
process.
The
current
working
directory
binary
a
list
of
the
arguments
but
what's
interesting
here,
is
that
we
also
have
the
sorry.
We
also
have
the
kubernetes
related
information,
so
we
can
see
the
namespace
of
the
Pod,
the
name
of
the
pod.
B
We
can
also
know
the
exact
container
in
that
part
when
it
was
started
when
the
Pod
was
started
and
not
like
the
execution,
the
label
it
has
this
kind
of
stuff.
We
can
even
retrieve
the
parents
of
the
this
execution.
So
we
can
see
that
the
thing
that
started,
the
the
the
execution
of
the
the
infinite
slip
was
container
the
Shimmer
and
C.
So
we
can
see
the
the
container
runtime
that
actually
started
the
process.
B
B
B
We
have
an
exit
event,
so
what
it
shows
is
that
this
process
was
started
and
just
after
it
exited
with
the
exit
code
of
zero
and
same
for
their
colors
as
well,
but
we
can
see
that
the
bus
station
that
just
started
and
was
not
exited
yet
we
just
have
to
do
the
creation
process.
So
with
that
in
mind,
if
you
execute
anything
in
the
in
the
in
the
project,
you
can
see
the
execution
here.
You
can
see
the
description
of
the
ls.
B
We
can
see
the
exit
of
the
ls
so
already
with
that
that
part
of
tetragon,
which
is
again
shipped
by
default,
you
can
get
a
lot
of
your
cluster
activity
and,
and
you
can
try
to
gather
that
information
and
maybe
put
that
into
a
like
something
like
Splunk,
in
which
you
will
process
this
information
like
what
happened
at
this
specific
moment
in
time
or
this
kind
of
stuff.
But
here
let's
go
a
little
bit
more
in
detail
for
different
use
case.
So
what
we
saw
here
is
the
positive
flight
icon.
B
So
this
is
the
default
thing,
but
maybe
what
you
want
to
do
is
a
bit
more
advanced
and
what
I
wanted
to
show
you
is
that
tetragon
has
this
thing
called
tracing
policy,
so
there
is
documentation
page
page
about
it.
Tracing
policy
is
a
kubernetes
custom
resource
and
the
idea
is
that
you
can
use
this
sort
of
configuration
files
policy
files
to
extend
what
tetragon
is
able
to
observe.
So
basically
they
take
this
kind
of
form.
It's
really
nice,
because
in
the
end,
what
it
means
is
that
you
can.
B
You
can
basically
write
some
yaml
file
that
will
describe
some
ml
files
that
will
describe
what
you
want
to
observe
what
you
want
to
do
with
that.
We
will
see
a
bit
of
enforcement
after
that,
and
the
idea
is
that
tetragon
will
read
these
yaml
files
and
transform
them
into
BPF
programs
that
will
be
loaded
into
your
kernels
into
your
kernel
and
candles
of
all
your
nodes,
and
so
that
you
can
extend
and
observe
exactly
what
you
want
inside
of
the
Linux
kernel.
B
Here
we
have
the
dragon
plot.
We
have
the
Newport
I
just
created,
let's
just
before,
let's
install
curl
insights
but
because
I
know
it's
not
installed
by
default.
So
here
you
can
see
all
the
activity
going
on
when
I
rapid,
install
Kern.
B
Right,
so
this
is
those
two
I've
got
available
so
now
what
we
want
to
do
is
to
load
the
stretching
policy.
I
was
speaking
about
so
here
we
have.
This
connect
TCP
connect
rating
policy,
so
it's
just
another
kubernetes
custom
resource.
So
there
is
this
API
version
with
psyllium
V1,
Alpha
One,
the
kind
tracing
policy.
It
has
a
name
like
every
kubernetes
resources
and
a
spec.
So
the
spec
is
the
custom
part
of
it.
You
have
this
documentation
that
tries
to
explain
you
how
to
build
those.
B
What
we
are
going
to
use
first
is
something
called
K
probes,
so
kprobes
is
not
something
from
tetragon.
It's
something
from
the
Linux
kernel,
K
probes.
Basically,
basically
the
system
in
the
Linux
kernel
to
put
a
breakpoint
anywhere
into
the
canal
and
observe
something
so
with
tetragon.
You
can
use
K
probes
to
hook
into
symbols
into
the
kernel.
B
So
here
what
we
want
to
observe
is
TCP
connect,
TCP,
close
and
TCP
send
message,
so
this
event
will
be
associated
with
a
network
activity
and
the
idea
is
to
hook
the
TCP
connect
code,
the
TCP
close
and
TCP
send
message.
So
here
we
can
see
that
we
have
this.
This
thing
here
called
This
is
called
false,
so
it
means
that
this
specific
k-probe
we
are
going
to
look
into
is
a
regular
candle
function.
B
It's
not
a
CIS
called,
and
we
have
some
argument
description
we'll
talk
about
that
a
little
bit
later,
but
the
big
idea
is
that
we
have
these
3K
probes
connects
close
and
send
message.
So
what
I
will
do
next
is
load
this
tracing
policy
into
the
kubernetes
cluster
with
the
CTL
apply,
and
the
tetragon
will
actually
pick
up
this
thing
so
we'll
see
some
activity
here,
loading
the
the
new
vpf
programs
generated
from
this
specific
tracing
policy
in
order
to
gain
some
observability.
So
let's
do
that
foreign,
so
I
load.
B
B
B
You
see
some
interesting
thing
happening
here.
We
have
three
new
events.
These
events
were
basically
created.
Thanks
to
the
testing
policy,
we
just
wrote
and
we
can
see
the
connect
event,
the
send
message
and
the
flows.
So
this
is
the
compact
form,
but
basically
we
extracted
some
arguments
from
these
events
and
we
can
retrieve
the
IP
address
that
was
finally
contacted
to
to
to
do
that
network
connection.
B
A
B
Yeah
yep:
okay,
okay,
no
questions
so
so
this
is
like
the
part
about
like
observability
thing,
but
I
wanted
now
to
to
show
you
maybe
a
little
bit
more
about
enforcement
because,
like
tetragon
can
of
course
observe
then
you
can
also
do
enforcement
with
those
tracing
policy
and
it's
super
and
it's
super
efficient.
So
let's,
let's
extend
the
dragon
a
little
bit
more,
so
we
can
remove
the
tracing
policy.
That
was
oh
I,
didn't
unload
the
previous
one.
B
So
yeah
now
what
we
want
to
do.
Sorry
we
have
our
Bots
and
what
we
want
to
do
is
to
do
some
enforcement
with
the
dragon.
So,
let's
look
at,
we
can
look
at
this
one
or
tracing
policy
that
I
prepared
this.
B
Maybe
this
one?
Sorry,
oh
no!
It's
this
one,
let's,
let's
in
the
first
step,
maybe
remove
that.
So
here
we
have
another
tracing
policy,
so
this
one
is
a
little
bit
different.
We
still
use
K
probes,
which
are
this
candle
thing
and
we
hook
into
this
time
in
Cisco,
which
is
called
sizzling
sysling
at
which
is
a
Cisco
that
you
can
use
to
create
this
link
on
your
linear
collection.
So
no
we
write
that
Cisco
is
equal
to
true.
B
It
will
be
actually
useful
for
the
dragon
to
retrieve
the
arguments
we'll
talk
about
that
a
little
bit
later,
but
what
I
wanted
to
show
you
is
that
you
can
add
selectors,
so
selector
are
used
to
filter
what
you
want
to
observe
on
on
First
on,
but
here
we'll
just
use
the
the
selector
called
match
actions
that
allows
you
to
add
an
action
when
you
witness
an
event.
B
So
the
idea
behind
these
tracing
policy
is
to
say
if
someone
tried
to
call
this
Cisco
called
Sim
Link
at
so
maybe
I
didn't
introduce
that,
but
Cisco
is
basically
the
interface
between
user
space
and
kernel
space
in
the
new
scanner.
So
the
new
Scandal
expose
some
some
calls
for
the
programs
to
to
use
and
system
link
at
is
one
of
those
that
you
will
use
when
you
are
created.
This
link
with,
for
example,
Ln,
is
something
to
some
put
some
some
file
so
yeah.
B
We
want
to
look
into
the
Cisco
and
the
idea
is
to
use
the
action
called
override
that
will
override
the
return
value
of
the
Cisco
with
a
an
arrow
here.
It's
minus
one,
but
you
can
put
another
value.
So
let's
see
what
it
does
so
right
now,
if
we
are
going
to
exec
interoper,
we
can
create
this
link
so
a
way
to
create
this
link,
as
I
said
before,
to
write
something
like
that.
So,
for
example,
I
want
to
create
a
sling
to
a
TC
password
here.
B
So
we
apply
it.
We
see
some
logs
on
the
top
side
top
side
here
so
now
it
should
be
loaded.
And
now,
if
we
execute
again
into
this
pod
and
we
try
to
create
assist
link
to,
for
example,
if
you
see
password
Here,
we
get
failed
to
create
symbolically
operation,
not
permitted,
because,
basically,
what
happened
is
that
the
the
system
call
that
ln-s
was
calling
return
-1
here
on
the
event
side,
we
can
see
that
this
is
called
open.
B
You
can
see
that
actually,
this
is
prefixed
by
the
architecture
of
the
nodes
that
are
running
the
cluster
I
choose
the
rm64
notes,
because,
because
why
not-
and
here
you
can
see
so-
this
is
called-
was
observed-
the
return
value
was
overrided
and
the
operation
was
blocked.
Essentially,
so
we
can
basically
not
create
any
this
link
on
this
on
this
kubernetes
cluster.
B
B
So
yeah
see
Sim
link
that
is
Cisco.
You
can
have
its
documentation
by
looking
at
the
Linux
manual.
So
if
we
look
at
that,
we
can
retrieve
that
simulink
at
as
three
arguments
and
when
you
observe
events,
you
might
want
to
know
what
weather,
what
were
the
arguments
that
were
used
in
the
symbol
that
you
are
witnessing
and
and
see
at
the
moment.
So
what
you
can
do
is,
is
it
Define
the
argument
used
by
the
by
the
the
key
probe?
B
The
call
that
you
want
to
observe
so
here
we
say
the
the
first
in
the
string.
The
first
argument
is:
the
string
is
the
construct
pointer,
which
is
a
string
in
C.
The
second
one
is
an
integer
and
the
third
one
is
also
string.
So
what
it
will
tell
us
is
that
if
we
use
tetragon
again
now,
we
will
be
able
to
extract
the
arguments
that
were
used
when,
when
this
someone
or
some
parts
called
the
this
is
called,
we.
A
B
So
no
at
this
we
will
see
that
a
little
bit
later,
but
at
this
Stage
IT
blocks
all
all
ciscoll
that
are
done
in
the
whole
human
test
cluster.
It
was
the
question
right
like
he
can
you
can
you
just
repeat
the
end
of
the
question?
Okay,.
A
B
No
yeah,
no,
no
in
this
situation,
it
will
block
everything.
Basically,
it
will
block
you
yeah
everything,
because
we
did
not
like
put
any
filtering
so
tetragon
will
retrieve
all
the
event
from
The
Host
and
basically
it
will
retrieve
everything
and
it
will
override
the
return
value
on
everything.
B
So
this
is
not
really
something
you
you
would
like
to
to
deploy
into
your
production
clusters
right,
so
so
we'll
see
how
we
can
perform
more
in
Grain
filtering
later
on,
based
on
kubernetes,
namespace
and
pod
labels,
but
it
will
be
just
for
a
little
a
bit
later.
B
Do
this
action
so
here
we
will
deploy
this
new
policy,
so
we
can
see
that
it
was
just
loaded
here.
We
have
some
logs
that
appeared
and
now,
if
I
go
inside
the
board
again
and
try
to
create
the
Sim
link,
so
if
I
do
a
Sim
link
to
HC
password
to
here
again,
it's
just
blocked
by
the
dragon,
and
we
can
see
the
event
here.
But
now
what's
interesting
is
that
if
we
try
to
create
a
singling
from
here,
it's
all
right.
We
we
have
the
right
to
do
it
so
error
points
to
it.
B
You
see
it
was
created,
but
the
the
All
Hiding
ID
behind
this
demonstration
is
to
show
that
tetragon
is
able
to
do
some
internal
filtering.
Based
on
the
value
of
the
arguments
of
the
course
that
you
are
looking
into
so
yeah.
We
refine
exactly
what
we
wanted
to
write.
So
this
policy
is
not
that
great.
B
It's
it's
just
an
example
of
on
Sim
link,
but
you
can
imagine
something
more
sophisticated
on
file
filtering
Network
filtering
as
long
as
you
have
like
actions
and
selectors
on
how
to
match
on
your
arguments,
you
can
write
pretty
like,
like
a
specialized
like
tracing
policy,
to
do
what
you
want
to
do
so
now.
Maybe
to
answer
the
question
a
little
bit
more
that
we
received
this
before
I
just
want
to
to
show
you
a
feature
that
just
got
into
chartagon
tetragon
pretty
recently.
B
B
B
It's
listening
to
events
and
we
just
enabled
the
policy
filter,
so
let's
create
some
new
pods.
The
idea
here
is
that
we
will
be
able
to
use
kubernetes
things
or
user
space
thing
from
kubernetes
metadata,
so
the
namespace
the
labels
to
apply
policies
on
some
pods
and
not
apply
some
policies
on
other
pods.
So.
B
Let's
create
a
new
namespace
here
we
have
at
the
moment
we
have
mostly
things
running
into
the
cube
system.
The
default,
so
let's
create
namespace,
for
example,
called
live
stream
here
and
next
create
the
plot
into
that
into
that
live
stream
new
space
and
it's
called
or
Ubuntu.
Why
not?
That
sleeps
as
well?
B
So
the
idea
here
would
be
to
apply
a
tracing
policy,
so
apply
some
enforcement
or
observability,
but
it
in
only
one
kubernetes
and
kubernetes
namespace.
So
let's
take
the
same
example
as
before
so
now.
Maybe
you
can
you
can
see
that
the
the
time
change
a
little
bit.
It's
now
a
tracing
policy
namespace.
So
the
resource
I
showed
you
just
before
the
trading
policy,
the
cluster-wide
resource,
but
this
one
is
actually
in
tied
to
one
specific
namespace
and
this
one
does
deny
all
seeming
creation.
B
So
if
we
load
down,
oh
no
I
just
load
that
in
the
indicate
system,
name,
space,
I,
think,
oh,
what
what
did
I
wrote
into
that
one.
B
Oh,
no
sorry,
yeah
I
know
that
yeah
I
think
yes,
so,
let's
just
never
mind,
let's,
let's
just
delete
this-
that
one
and
creating
the
correct
namespace
so
apply
namespace
and
let's
deploy
it,
for
example,
into
the
live
stream.
B
So
here
we
can
see
some
activity
from
tetragon
that
it
picked
up
the
new
newly
created
tracing
policy,
that
is
namespace,
and
if
we
get
the
trading
policy
namespaced
from
live
stream,
we
should
see
denials
in
English
so
area.
It
is
that
if
we
go
into
the
pod
in
the
default
kubernetes
namespace,
we
should
be
pretty
fine
about
like
creating
some
do
I
have
any
simming
or
not
creating
new
Scenic
here.
So
again,
let's
see
password
Here,
it's
all
fine.
B
You
can
create
those,
but
if
we
go
if
we
exec
into
Ubuntu
in
the
live
stream,
namespace
momentous
namespace
here
you
can
see
the
activity
and
if
we
go
into
the
I,
go
here
and
try
to
create
that
similar
Sim
link,
it's
just
not
permitted.
So
what
you
just
witness
is
the
fact
that
tetragon
is
able
to
perform
some
internal
filtering
with
actual
kubernetes
metadata
information.
So
you
can
filter
your
observability,
your
enforcement
based
on
documentaries,
namespace,
so.
B
That's
good
for
everyone.
I
wanted
to
show
you
one
next
step
is
that's
how
you
can
use
labels
to
do
very
similar
stuff,
so
it's
it's
very
similar
to
what
we
just
so
it's
just
it's
not
using
namespace
as
a
filtering
mechanism,
but
using
thoughts
labels.
B
So
let's
unload
that
one
beginning
that
I
stream
interface,
so
it
wasn't
loaded
the
map
were
unloaded
and
what
we
want
to
apply
now
is
the
last
one
I
crafted
for
today,
which
is
the
leather
you
name
so
I
just
changed
the
Cisco
we
are
going
to.
We
are
going
to
look
into
the
cisnew
name,
so
you
name
you,
you
might
know
it.
You
might
not
know
it.
It's
called
use
when
you
are
trying
to
retrieve
information
about
your
Linux.
B
So
if
you
want
to
retrieve
information
about
your
kernel
version,
the
host
name,
this
kind
of
stuff,
the
utility,
your
name
is
using
that
Cisco
to
to
perform
that
that
action.
So
it's
a
pretty
Innovative
cycle,
but
it
was
just
for
the
sake
of
the
example
in
this
in
this
demonstration.
B
So
the
idea
is
to
prevent,
due
to
literally
to
use
the
Cisco
and
what's
new
here
is
that
we
are
using
so
this
cluster-wide
tracing
policy,
but
with
some
plot
selector,
so
I
think
those
are
similar
as
cilium
Network
policy
bot
selector,
and
the
idea
is
that
you
can
use
match
labels
on
that
and
if
any
pods
are
the
label
called
app
with
the
value
sleeper,
this
policy
will
apply
so
let's
load
that
policy,
so
that
one
is
closer
wide.
B
We
don't
really
care
about
where
we
put
it,
we
don't
need
to
specify
the
namespace.
So
it's
loading
that
policy.
So
if
we
go
into
a
Ubuntu
for
our
sleepy
but
from
the
default
namespace,
we
can
pretty
much
use
your
name
right.
We
can
retrieve
the
all
the
information
about
the
like
a
little
bit
behind
the
scene.
B
B
Not
very
oh
yeah,
let's
find
Aussie
school.
So
what
I'm,
showing
you
right
now
is
just
how
is,
as
stress,
is
just
a
way
to
see
what
Cisco
is
calling
like.
What
what
what's
his
call,
your
binary
is
actually
calling
under
the
hood.
So
if
we
grab
with
the
your
name-
oh
no,
it's
Trace
I
mean
a,
and
we
redirect
we'll
put.
B
So
the
logs
that
we
can
even
assuming
okay
right
yeah,
so
the
the
one
we
are
seeing
at
the
moment
they
are
stored.
If
we
go
into
the
tetragon
pod.
B
Yeah,
the
dragon
container
in
tetragon
pod,
you
can
see
in
the
Faron
you
have
this
files
and
in
silion
tetragon
you
have
the
tetragon
lock
files,
so
this
file,
if
we
look
into
it,
if
you
have
all
the
events
that
are
written
to
to
this
specific
file,
it's
it's
the
case,
because
we
we
just
set
a
specific
flag
in
the
end
charts,
so
the
end
chart.
B
So
all
the
events
we
are
seeing
they
are
stored
in
this
file
and
the
ID
is
that
you
can
use
stuff
like,
for
example,
fluency
to
maybe
fetch
this
these
files
and
put
that
in
some
database,
but
here
in
my
example,
I'm
mostly
reading
straight
from
the
cube
CTL
logs
thing.
So
it's
just
that
in
the
if
we
look
into
the
the
tetragon
but
a
little
bit
more
in
detail.
Oh
my,
we.
B
So
so
you
so
not
really,
there
is
no
like
tetragon
sidekick,
but
you
can
actually
use
something
called
The
herbal
UI
to
visualize,
some
part
of
of
tetragon
I
think
so.
Hubble
UI
is
a
project
at
the
beginning.
It
was
done
for
silion
to
visualize
flows.
Visualize
have
an
observability
thing
on
top
of
psyllium
I.
Think
some
part
of
it
I'm,
not
100
sure
that
you
can
use
with
tetragon
to
visualize
like
process
execution
and
this
kind
of
stuff.
B
But
it's
mostly
as
as
of
now,
it's
mostly
rewriting
this
events
to
this
file
and
you
have
to
process
them.
So
one
way
of
thinking
about
it
is
to
fetch
these
files
retrieve
those
events
put
them
in
some
database
and
perform
some
then
perform
some
queries
on
them
to
actually
see
what's
happening
inside
of
the
cluster.
B
But
this
is
out
of
the
scope
of
the
dragon,
as
Falco
Sidekick
is
out
of
the
scope
of
Falco,
because
it's
its
own
separate
thing
tetragon
only
on
the
export
to
to
a
file
and
yeah
I
just
wanted
to
show
you
that
the
reason
why
we
are
seeing
the
events
in
the
in
the
container
name
export
Studio
that
if
we,
if
we
just
look
at
the
at
the
deployments,
we
can
see
that
we
have
three
containers
and
yeah.
B
I
hope
I
answered
the
question.
So
if
I
get
back
to
my
little
demonstration
about
labels
here,
we
we
are
in
a
situation
where
we
can
use
the
Cisco,
no
reason,
no
problem.
The
dragon
does
not
emit
an
event
and
tetragon
does
not
overwrite
the
return
value
of
the
Cisco.
But
the
idea
is
that
we
can
label
this.
B
This
part
the
Sleepy
pod
in
the
default
namespace
with
the
app
the
label
with
the
value
sleeper,
and
if
we
do
that,
we
end
up
in
a
situation
where
sorry,
if
we
exec
again
into
sleepy-
and
we
do
you
name
Dash
a
because
it
gets-
cannot
get
system
in
a
operation
not
permitted
and
what
happened
in
the
background,
if
we
just
Trace
execution
so
just
like
that.
B
B
We
can
use
this
school
again
and
it's
not
block
anymore,
but
the
dragon-
and
it
does
not
I
mean
an
event.
So
I
hope
this
showed
the
the
way
you
can
use
this
tracing
policy.
You
can
apply
tracing
policiado
cluster
whites,
Crystal
wide
level,
basically
apply
that
that
policy
on
everything
you
can
apply
that
by
namespace
and
you
can
apply
very
specifically
using
a
clementus
labels.
B
A
Yeah
sure,
okay,
so
if
you
have
any
other
things
to
present,
you
can
do
that
as
well.
Yeah.
We
have
time
but
yeah,
there's
something
some
Korea
from
my
end
as
well
like
how
straight
talk
on
filtering
different
than
other
projects.
So
to
add
something
like
that.
B
Yeah
yeah
so
on
the
filtering
side,
so
the
so
what
I
showed
you
I,
don't
know
if
I
sh?
No,
maybe
let's
just
discuss
like
that.
So
the
thing
with
tetragon
is
that
the
the
filtering
all
the
filtering
happens,
Scandal
side
with
the
BBF
programs,
so
the
the
main
difference
with
some
other
projects
that
with
a
lot
of
projects,
what
happened
is
that
they
create
some
events
from
the
column
because
they
have
to
hook
into
some
part
of
the
canal
via
K
probes
via
Trace
points,
and
things
like
that.
B
So
they
create
some
events.
They
push
these
events
to
user
space
where
an
agent
can
enroll
them
and
then
they
treat
like
the
filtering
in
user
space.
So
they
push
everything
all
the
activity
out
of
the
calendar
space
do
the
filtering
on
the
user
space
and
event,
maybe
maybe
optionally.
They
react
to
to
those
events
with
cetragon
is
a
bit
different
because
it's
using
BPF
it's
as
the
ability
to
hook
the
event,
of
course
like
the
other
Solutions
are
doing,
but
the
the
filtering
and
everything
happens
on
the
calendar
side.
B
So
the
event
is
never
emitted,
as
is
from
Canada
side
to
user's
side
user
space.
It's
it's
filter
it
its
filtered
straight
from
so
from
the
the
Canon's
side
side.
So,
if
I
show
you,
for
example,
the
the
demonstration
I
showed
with
the
this
one
I
think
yeah.
B
This
one
adds
some
filtering
enabled
so
basically
hooking
this
Cisco
and
passing
the
arguments,
the
string,
the
intender
and
the
other
string
and
trying
to
do
some
filtering
on
top
of
the
first
arguments.
So
what
happened
is
that
this
comparison
of
the
prefix
of
this
argument
will
happen
on
the
BPF
side
in
the
canal.
B
So
it's
pretty
nice
because
from
from
this,
you
will
get
less
overhead
than
with
something
that
will
export
everything
and
do
the
filtering
in
user
space
because,
like
less
events
were
limited
and
it's
like
more
efficient
to
do
everything
straight
from
the
camera.
And
on
top
of
that,
if
you
are
doing
some
filtering-
and
you
want
to
do,
some
enforcement,
like
I,
showed
you
with
override
with
Central
one.
B
It's
in
synchronous,
and
there
will
be
some
time
when
the
application
will
be
able
to
perform
these
actions
before
you
actually
do
the
enforcement.
So
with
that
Dragon
it's
different,
because
everything
happened
on
the
Kernel
side
we
are,
we
are.
We
can
do
this
action
immediately,
synchronously
before
it
actually
happened.
So
what
I
showed
you
here
is
that
I
wanted
to
code
this
specific
score.
What
happened
is
that
petragon
looked
at
the
very
beginning
of
the
call
of
this
candle
function,
which
happens
to
be
a
Cisco
and
the
override
actually
replaced
the
function.
B
A
Yeah
so
yeah,
okay,
so
here
another
question
can
later
I
won't
emit
these
odd
Vlogs
as
kubernetes
events.
B
Oh
yeah,
so
I
I,
don't
think
so
at
the
moment,
I'm
not
aware
of
that,
so
I
would
say
no
but
yeah.
No,
they
are
exclusively
these.
These
events
that
are
like
these
Json
events
in
the
fight.
So
this
those
are
no
like
Juventus
events
and
I
am
yeah,
I,
don't
know,
I,
don't
know
if
that
would
be
a
good
idea
and
what
would
be
the
use
case
for
that,
but
one
the
person
wants
to
discuss
that
in
in
further
detail.
B
You
can
of
course
ask
the
question
so
by
the
way
I
didn't
spoke
about
that.
If
you
want
to,
if
you
have
any
question
like
during
this
session
turn
after
this
session,
you
have
to
repository
where
you
can
like
open
issues,
but
on
top
of
that
you
have
the
the
slack
to
serum
slack
in
which
we
have
a
tetragon
specific
channel
in
which
you
can
ask
any
question
you
want.
So
if
you
want
to
start
using
tetragon,
it's
a
good
way
of
getting
started,
you
can.
B
The
documentation
is
the
good.
If
you
have
some
troubles
and
stuff,
you
can
ask
your
question
on
the
slack
and
later
on.
If
you
want
to
write
some
tracing
policy
and
something
is
not
working
or
you
don't
understand
why
your
tracing
policy
is
not
in,
of
course,
go
on
the
CEO,
it
seems
like
an
interact
with
us
to
ask,
maybe
see.
Oh,
it's
the
best
way
of
doing
that
kind
of
stuff
or
and
so,
and
so
so
yeah
yeah.
A
Okay,
so
I
think
another
question
like:
can
this
be
used
for
cluster?
Why
check
for
indication
of
compromise,
given
we
have
some
sha
or
add
some
custom
tracing
policy
to
check
for
some
inbound
or
outbound
traffic
and
deny
such
kind
of
connectivity
over
any
protocol.
B
Yeah
so
I
I
I'm,
not
sure
I
got
the
the
whole
question,
but
just
for
the
beginning
of
the
question
like
can
this
be
used
as
a
way
of
detecting
like
malicious
activity.
A
B
Yeah
yeah,
so
the
answer
is
yes,
then
it's.
The
the
only
question,
then,
is
how
you
what's
your
indication
of
compromise.
So
if
you're
in
your
in
your
case,
your
indication
of
compromise
is
I,
don't
know
like
triggering
some
candle
function,
some
c-score
with
specific
arguments,
that's
a
way
of
writing
a
tracing
policy
that
will
cache
that.
So
you
can
retrieve
the
the
events
what's
on
top
of
my
mind,
so
this
is
like
very
specified.
B
So,
for
example,
I,
don't
know
the
yeah,
for
example,
you
could
try
to
catch
the
Cisco
that
allows
you
to
create
a
username
space
if
someone
is
like
exploiting
username
space
to
to
do
some
exploit
afterwards,
this
kind
of
stuff,
but
there
is
something
else
that
goes
to
my
mind
like
you,
can
also
like
retrieve
all
the
logs
of
process
execution
and
try
to
filter
on
top
of
them
to
find
some
indication
of
compromise
whatever
it
is
to
to
see
if,
like
some
bad
stuff,
was
executed
inside
of
your
your
cluster
generally.
B
So
this
comes
without
any
Trace
like
the
process
execution,
and
maybe
it's
already
enough
for
you
to
see.
What's
happened,
cluster
wide
and
and
when
and
and
and
how
so,
the
the
ideas
that
you
will
get
process.
Events
like
I
showed
in
at
the
very
beginning
process
exec
and
process
exit,
and
you
will
get
a
lot
of
metadata
information
to
evaluate
if
it's
like
a
confirmation
or
or
just
normal
activity,
so
I
would
say.
B
A
Said
I
guess:
there's
simplistic.
B
Oh
the
requirement
so
basically
the
the
requirements-
I
I-
don't
have
the
exact
insurance
but
tetragon
the
the
like.
The
thing
it
needs
is
BTF
support.
So
BTF
is
like
this.
This,
maybe
I
don't
need
to
show
my
screen
yeah.
So
yeah
BTF
is
like
this
file
in
the
camera
that
describes
all
the
structures
of
the
kernel
and
the
dragon
needs
that
to
load
its
BPF
programs.
So
you
you
need
that.
B
What
is
nice
is
that
most
recent
channel
in
most
like
mainstream
distribution
of
BTF,
enabled
by
default
now
so
I
guess
this
is
one
of
the
of
the
requirements.
B
B
But
otherwise,
if
you
want
to
deploy
that
on
AKs
ATS
cluster
I
don't
see
any
particular
requirements.
B
Yeah
you
just
basically
deploy
the
M
chart,
it
will
deploy
the
demand
set
and
then
you
can.
You
can
figure
it
out
and
see
what
you
want
to
do,
but
I
would
say
that
that's
pretty
enough,
then
there
there
is
maybe
like
yeah.
It
depends
on
your
your
your
cluster,
but
the
more
recent
kernel
version
you
deploy
the
dragon
on
the
more
features
you
will
be
able
to
use
on
DPF
and
and
the
more
like
yeah
features
you
will
have
access
to,
but
I
guess.
B
B
A
B
Think
I
think
the
question
it's
interesting
like
I
think
the
question
is
about
the
behavior
of
the
tracing
policy
when
you
are
like
writing:
ambiguous
selectors,
maybe
like
selectors,
with
like
contradictory
contract,
Victory
selectors,
this
kind
of
stuff.
So
this
is
a
pretty
good
question.
You
have
this
this
part
in
the
the
tracing
policy
that
is
about
the
selector
semantic,
so
it
tries
to
explain
how
selectors
are
associated
so
in
this
example,
do
you
I
mean
you
don't
see
my
screen?
B
Sorry,
let
me
share
so
in
the
tracing
policies
or
documentation.
You
have
this
thing
called
selector
semantic,
it's
at
the
it's
at
the
end
and
it
shows
how
selectors
Associated
between
like
each
of
them
and
how
like
relationship
or
or
relationship
like
what
happens.
If
I
put
multiple
values,
is
it
a
orange
and
this
kind
of
stuff,
so
you
can
have
more
information
there,
but
for
like
very
complex
and
very
Advanced
use
case,
I.
B
A
There
was
another
query,
but
you
actually
answered
that
question
as
also
but
I
also
want
to
mention
about
that.
Because
maths
question
basically
like
would
you
mind
just
showing
the
emo
file,
where
you
were
able
to
block
on
a
specific
arguments
either
able
to
block
or
it
is
a
password
but
other
SIM
links
were
hello
so
and
also
when
you
were
answering
some
queries,
he
actually
bought
the
answer
actually
and
as
well.
So
just
I
just
mentioned
that
question
and
also
okay,
yeah.
B
Okay,
yeah
yeah
so
and
I
just
want
to
say
something.
If
you
want
to
see
more
tracing
policy,
because
the
one
I
showed
were
very
basic,
you
have
a
few
use
case
here
about
this.
Is
the
network
thing
I
showed
you,
you
have
also
file
access
and,
more
interestingly
links,
process
credentials,
things
related
to
credentials,
but
in
the
tetragon
repository
you
have
this
example
folder
with
tracing
policy,
and
you
have
a
bunch
of
them
there
with
more
I.
B
B
Let's
say
if,
like
this
one,
with
the
more
like
complex
specification
with
more
selectors
different
actions
and
this
kind
of
stuff,
so
it
can
be
nice
to
try
those
to
get
familiar
with
tetragon
and-
and
you
don't
need
a
communist
cluster
as
well
to
earn
the
dragon.
You
can
run
tetragon
on
Linux.
There
is
a
a
guide
on
the
documentation.
A
A
Okay,
so
we
have
another
question
as
well,
so
there
are
a
lot
of
questions
coming
up.
That's
awesome!
So
so
there's
a
request,
CDM
to
be
used
or
deployed.
B
A
B
Not
so
at
the
moment
it
some
of
the
metadata
are
used
using
psyllium,
but
we
have
like
actually
I,
think
a
cncf
in
turn
working
on
a
project
about
how
how
we
could
completely
remove
the
dependency
to
psyllium.
But
at
the
moment
you
will
just
get
a
little
bit
less
information
on
some
metadata.
I,
don't
know
exactly
which
one
but
the
ID
is
the
the
dragon
is
a
standalone
project
and
you
can
completely
run
tetragon
without
Celia
I
mean
you
can
run
CM
without
a
dragon.
A
Okay,
so
I
think
that
we
have
ended
up
and
there
are
no
questions
left
right.
Okay,
so
if
you
have
anything
that
you
would
like
to
add
related
to
Dragon,
because
you
have
already
mentioned
how
to
contract
and
if
there
are
any
queries,
how
to
hit
the
issue
or
something
like
that,
but
if
there
are
anything
you
would
like
to
add,
you
can
just
add
them
right
now,
yeah
like
if
anyone
someone
wants
to
contribute
as
well
or
something
like
that.
Yeah.
B
Yeah
sure
so
yeah
so
I
I
already
said
that.
But
of
course
you
could
I
think
the
two.
The
two
stops
that
you
can
get
to
are
the
the
repository
and
the
websites
on
the
website.
You
will
find
links
on
the
on
the
CM
slack,
which
is
a
really
nice
entry
point
to
ask
the
team
about
stuff
and
to
speak
between
Community
people
like
using
tetragon.
B
Some
people
actually
helping
people
in
there,
which
is
pretty
pretty
nice
and
I'm,
pretty
often
answering
questions
in
there
and
if
you
want
to
contribute
to
tetragon,
we
have
a
bunch
of
good
first
issues,
so
you
can
basically
go
to
the
repository
and
and
I
put
first
issues,
and
you
will
find
some
stuff
that
you
can
do.
I
put
some
stuff
about
documentation
because
it's
a
nice
way
to
get
familiar
with
tetragon
and
we
need
like
more
documentation
and
better
documentation.
B
So
if
you
want
to
help
the
project,
it's
a
really
nice
way
to
start,
but
yeah
I
think
that's
pretty
much
it
on
how
to
interact
with
the
project.
A
B
So
if
you
want
to
use
the
dragon,
not
really
no,
because
you
can
just
add
the
dragon
and
start
to
see
the
process
execution
which
are
automatically
enabled
and
everything,
so
you
don't
need
a
prerequisite
like
the
the
execution,
was
already
crafted
by
people
writing
tetragon
as
a
user.
If
you
want
to
do
like
right
start
to
write
to
tracing
policy,
you
might
need
some
kernel
knowledge,
because
you
will
need
to
understand
what
is
gay
pro.
What
is
Trace
Point?
B
B
If
you
want
to
participate
in
the
project
as
a
developer,
a
contributor
I
guess,
if
you
just
want
to
make
some
PRS
to
get
familiar
with
the
project,
you
don't
need
plenty
of
knowledge
like,
for
example,
in
the
course
good
Forest
issue.
I
showed
there
is
some
documentation
about.
How
do
you
read
tetragon
Matrix,
for
example
like
the
Prometheus
metrics.
So
if
you
want
to
write
such
a
guide,
it
will
be
very
helpful.
B
We
have
some
documentation
that
you
can
write
a
new
with
very
basic
knowledge.
You
will
just
like
get
to
learn,
tetragon
and
and
learn
about
it
and
then,
if
you
want
to
start
contributing
on
Cut
contribution,
it
might
require
some
knowledge
in
the
user
space,
maybe
less
than
the
BPS
space
BBF
part.
But
the
BPF
part
is
the
BTS
part.
So
you'll
have
to
know
about
vpf
a
little
bit
to
contribute
on
that
part
for
sure.
A
Yes,
so
so
these
I
guess
the
they're,
okay
yeah
so
yeah
right.
Thank
you
so
much
so
for
a
great
session
and
a
lot
of
questions
that
thank
you
so
much
guys
for
being
responsive
and
asking
so
much
questions.
It
was
really
awesome,
so
I
guess
we
can
now
end
the
station
yeah,
okay,
so
yeah.
So
let's
end
this
conversation
that
thanks,
okay,
okay!
So
thanks
everyone
for
joining
the
latest
episode
of
cloud
native
live.
We
enjoyed
the
interaction
and
questions
from
the
audience.