The EI eBPF Agent allows collecting and aggregating all the ingress and egress flows on a Linux host (required a Kernel 4.18+ with eBPF enabled).
make build
To build the agent image and push it to your Docker / Quay repository, run:
IMG=quay.io/myaccount/ei-ebpf-agent:dev make image-build image-push
The eBPF Agent is configured by means of environment variables. Check the configuration documentation for more details.
sudo -E bin/ei-ebpf-agent
To deploy it as a Pod, you can check the deployment examples.
The Agent needs to be executed either with:
- The following Linux capabilities
(recommended way):
BPF
,PERFMON
,NET_ADMIN
,SYS_RESOURCE
. If you deploy it in Kubernetes or OpenShift, the container running the Agent needs to define the followingsecurityContext
:(Please notice that thesecurityContext: runAsUser: 0 capabilities: add: - BPF - PERFMON - NET_ADMIN - SYS_RESOURCE
runAsUser: 0
is still needed). - Administrative privileges. If you
deploy it in Kubernetes or OpenShift,
the container running the Agent needs to define the following
securityContext
:This option is only recommended if your Kernel does not recognize some of the above capabilities. We found some Kubernetes distributions (e.g. K3s) that do not recognize thesecurityContext: privileged: true runAsUser: 0
BPF
andPERFMON
capabilities.
Here is a list of distributions where we tested both full privileges and capability approaches, and whether they worked (✅) or did not (❌):
Distribution | K8s Server version | Capabilities | Privileged |
---|---|---|---|
Amazon EKS (Bottlerocket AMI) | 1.22.6 | ✅ | ✅ |
K3s (Rancher Desktop) | 1.23.5 | ❌ | ✅ |
Kind | 1.23.5 | ❌ | ✅ |
OpenShift | 1.23.3 | ✅ | ✅ |
The eBPF program is embedded into the pkg/ebpf/bpf_*
generated files.
This step is generally not needed unless you change the C code in the bpf
folder.
If you have Docker installed, you just need to run:
make docker-generate
If you can't install docker, you should locally install the following required packages:
dnf install -y kernel-devel make llvm clang glibc-devel.i686
make generate
Tested in Fedora 35 and Red Hat Enterprise Linux 8.