The EI eBPF Agent allows collecting and aggregating all the ingress and egress flows on a Linux host (required a Kernel 4.18+ with eBPF enabled).
make build
To build the agent image and push it to your Docker / Quay repository, run:
IMG=quay.io/myaccount/ei-ebpf-agent:dev make image-build image-pushThe eBPF Agent is configured by means of environment variables. Check the configuration documentation for more details.
sudo -E bin/ei-ebpf-agent
To deploy it as a Pod, you can check the deployment examples.
The Agent needs to be executed either with:
- The following Linux capabilities
(recommended way):
BPF,PERFMON,NET_ADMIN,SYS_RESOURCE. If you deploy it in Kubernetes or OpenShift, the container running the Agent needs to define the followingsecurityContext:(Please notice that thesecurityContext: runAsUser: 0 capabilities: add: - BPF - PERFMON - NET_ADMIN - SYS_RESOURCE
runAsUser: 0is still needed). - Administrative privileges. If you
deploy it in Kubernetes or OpenShift,
the container running the Agent needs to define the following
securityContext:This option is only recommended if your Kernel does not recognize some of the above capabilities. We found some Kubernetes distributions (e.g. K3s) that do not recognize thesecurityContext: privileged: true runAsUser: 0
BPFandPERFMONcapabilities.
Here is a list of distributions where we tested both full privileges and capability approaches, and whether they worked (✅) or did not (❌):
| Distribution | K8s Server version | Capabilities | Privileged |
|---|---|---|---|
| Amazon EKS (Bottlerocket AMI) | 1.22.6 | ✅ | ✅ |
| K3s (Rancher Desktop) | 1.23.5 | ❌ | ✅ |
| Kind | 1.23.5 | ❌ | ✅ |
| OpenShift | 1.23.3 | ✅ | ✅ |
The eBPF program is embedded into the pkg/ebpf/bpf_* generated files.
This step is generally not needed unless you change the C code in the bpf folder.
If you have Docker installed, you just need to run:
make docker-generate
If you can't install docker, you should locally install the following required packages:
dnf install -y kernel-devel make llvm clang glibc-devel.i686
make generate
Tested in Fedora 35 and Red Hat Enterprise Linux 8.