/docs/installation/ Recent content in Installation and Configuration on Tetragon - eBPF-based Security Observability and Runtime Enforcement Hugo en /docs/installation/kubernetes/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/installation/kubernetes/ The recommended way to deploy Tetragon on a Kubernetes cluster is to use the Helm chart with Helm 3. Tetragon uses the helm.cilium.io repository to release the helm chart. Install To install the latest release of the Tetragon helm chart, use the following command. Note You can find the chart and its documentation with all available values for configuration in install/kubernetes/tetragon in the Tetragon repository. You can use any of the values and override them with --set KEY1=VALUE1,KEY2=VALUE2. /docs/installation/container/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/installation/container/ Install Stable versions To run a stable version, please check Tetragon quay repository and select which version you want. For example if you want to run the latest version which is v1.6.0 currently. docker run --name tetragon --rm -d \ --pid=host --cgroupns=host --privileged \ -v /sys/kernel/btf/vmlinux:/var/lib/tetragon/btf \ quay.io/cilium/tetragon:v1.6.0 Unstable-development versions To run unstable development versions of Tetragon, use the latest tag from Tetragon-CI quay repository. This will run the image that was built from the latest commit available on the Tetragon main branch. /docs/installation/package/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/installation/package/ Install Tetragon will be managed as a systemd service. Tarballs are built and distributed along the assets in the releases. Note Tetragon as of version 1.0 supports amd64 and arm64 architectures. First download the latest binary tarball, using curl for example to download the amd64 release: curl -LO https://github.com/cilium/tetragon/releases/download/v1.6.0/tetragon-v1.6.0-amd64.tar.gz Extract the downloaded archive, and start the install script to install Tetragon. Feel free to inspect the script before starting it. /docs/installation/runtime-hooks/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/installation/runtime-hooks/ See Tetragon Runtime Hooks, for an introduction to the topic. Install Tetragon with Runtime Hooks We use minikube as the example platform because it supports both cri-o and containerd, but the same steps can be applied to other platforms. Setup cluster minikube with CRI-O minikube with Containerd kind (with Containerd) minikube start --driver=kvm2 --container-runtime=cri-o minikube start --driver=kvm2 --container-runtime=containerd Tetragon Runtime Hooks use NRI. NRI is enabled by default starting from containerd version 2. /docs/installation/tetra-cli/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/installation/tetra-cli/ This guide presents various methods to install tetra in your environment. Install the latest release Autodetect your environment This shell script autodetects the OS and the architecture, downloads the archive of the binary and its SHA 256 digest, compares that the actual digest with the supposed one, installs the binary, and removes the download artifacts. Note This installation method requires a working Go toolchain, curl(1), and the sha256sum(1) utilities. For Go, see how to install the latest Go release and for the curl and checksum utility, it is usually distributed in common Linux distribution but you can usually find them respectively under the package curl and coreutils. /docs/installation/verify/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/installation/verify/ Verify Tetragon image signature Learn how to verify Tetragon container images signatures. Prerequisites You will need to install cosign. Verify Signed Container Images Since version 0.8.4, all Tetragon container images are signed using cosign. Let’s verify a Tetragon image’s signature using the cosign verify command: cosign verify --certificate-github-workflow-repository cilium/tetragon --certificate-oidc-issuer https://token.actions.githubusercontent.com <Image URL> | jq Note If you are using cosign < v2.0.0, you must set COSIGN_EXPERIMENTAL=1 environment variable to allow verification of images signed in KEYLESS mode. /docs/installation/configuration/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/installation/configuration/ Depending on your deployment mode, Tetragon configuration can be changed by: Kubernetes Docker systemd kubectl edit cm -n kube-system tetragon-config # Change your configuration setting, save and exit # Restart Tetragon daemonset kubectl rollout restart -n kube-system ds/tetragon # Change configuration inside /etc/tetragon/ then restart container. # Example: # 1. As a privileged user, write to the file /etc/tetragon/tetragon.conf.d/export-file # the path where to export events, example "/var/log/tetragon/tetragon.log" # 2. Bind mount host /etc/tetragon into container /etc/tetragon # Tetragon events will be exported to /var/log/tetragon/tetragon. /docs/installation/metrics/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/installation/metrics/ Tetragon exposes a number of Prometheus metrics that can be used for two main purposes: Monitoring the health of Tetragon itself Monitoring the activity of processes observed by Tetragon For the full list, refer to metrics reference. Enable/Disable Metrics Kubernetes In a Kubernetes installation, metrics are enabled by default and exposed via the endpoint /metrics. The tetragon service exposes the Tetragon Agent metrics on port 2112, and the tetragon-operator-metrics service the Tetragon Operator metrics on port 2113. /docs/installation/faq/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/installation/faq/ What is the minimum Linux kernel version to run Tetragon? Tetragon needs Linux kernel version 4.19 or greater. We currently run tests on stable long-term support kernels 4.19, 5.4, 5.10, 5.15 and bpf-next, see this test workflow for up to date information. Not all Tetragon features work with older kernel versions. BPF evolves rapidly and we recommend you use the most recent stable kernel possible to get the most out of Tetragon’s features.