eBPF Agent Configuration¶
The CloudTaser eBPF agent runs as a DaemonSet on every node in the cluster. It loads eBPF programs into the kernel to enforce secret protection at runtime -- detecting and optionally blocking attempts to exfiltrate secrets from protected pods.
Environment Variables¶
Core Configuration¶
EBPF_OBJECT_PATH¶
| Required | No |
| Default | /opt/cloudtaser/ebpf/cloudtaser.bpf.o |
Path to the pre-compiled eBPF object file. The default path is set by the container image. Override only when using custom-built eBPF programs.
ENFORCE_MODE¶
| Required | No |
| Default | detect |
| Values | detect, enforce |
Controls whether the agent only detects security events or actively blocks them.
| Mode | Behaviour |
|---|---|
detect |
Events are logged and reported to the platform, but no action is taken to block them. Use this mode during initial rollout to evaluate the impact before enforcement. |
enforce |
The agent actively blocks detected exfiltration attempts by denying syscalls. Operations that would leak secrets are terminated. |
Start with detect mode
Deploy in detect mode first and monitor the event log for false positives. Once you have verified that legitimate application behaviour is not flagged, switch to enforce mode.
LOG_ALL¶
| Required | No |
| Default | false |
| Values | true, false |
When enabled, the agent logs all observed syscalls for protected pods, not just security-relevant events. This is useful for debugging but generates significant log volume.
Performance impact
Enabling LOG_ALL in production can degrade node performance and fill log storage quickly. Use only for targeted debugging on specific nodes.
REACTIVE_KILL¶
| Required | No |
| Default | false |
| Values | true, false |
When enabled alongside ENFORCE_MODE=enforce, the agent sends SIGKILL to processes that trigger security events, immediately terminating the offending process. Without this, the agent blocks the syscall but allows the process to continue.
GLOBAL_PRIVESC_DETECT¶
| Required | No |
| Default | false |
| Values | true, false |
Enables privilege escalation detection for all processes on the node, not just CloudTaser-protected pods. When enabled, the agent monitors for attempts to gain elevated privileges across the entire node.
Network Configuration¶
GRPC_LISTEN_ADDR¶
| Required | No |
| Default | unix:///var/run/cloudtaser/ebpf.sock |
The gRPC address where the agent listens for registration requests from the wrapper. The wrapper connects to this address at startup to register its process for eBPF protection.
HEALTH_LISTEN_ADDR¶
| Required | No |
| Default | :8082 |
The address for the agent's health check endpoint.
GET /healthz-- Returns200 OKwhen the agent is running and eBPF programs are loaded.GET /readyz-- Returns200 OKwhen the agent is ready to accept wrapper registrations.
Platform Integration¶
PLATFORM_ENDPOINT¶
| Required | No |
| Default | -- |
The CloudTaser Platform endpoint for reporting security events. When set, the agent streams events to the platform for centralized monitoring, alerting, and audit logging.
NODE_NAME¶
| Required | No |
| Default | -- |
The Kubernetes node name, typically populated from the downward API. Used to identify the source node in event reports.
POD_NAMESPACE¶
| Required | No |
| Default | -- |
The namespace where the eBPF agent pod is running. Used for leader election and service discovery.
Environment Variable Reference Table¶
| Variable | Required | Default | Description |
|---|---|---|---|
EBPF_OBJECT_PATH |
No | /opt/cloudtaser/ebpf/cloudtaser.bpf.o |
eBPF object file path |
ENFORCE_MODE |
No | detect |
Detection or enforcement |
LOG_ALL |
No | false |
Log all syscalls |
REACTIVE_KILL |
No | false |
Kill offending processes |
GLOBAL_PRIVESC_DETECT |
No | false |
Node-wide privilege escalation detection |
GRPC_LISTEN_ADDR |
No | unix:///var/run/cloudtaser/ebpf.sock |
Wrapper registration socket |
HEALTH_LISTEN_ADDR |
No | :8082 |
Health endpoint address |
PLATFORM_ENDPOINT |
No | -- | Platform reporting endpoint |
NODE_NAME |
No | -- | Kubernetes node name |
POD_NAMESPACE |
No | -- | Agent pod namespace |
Detected Event Types¶
The eBPF agent monitors 19 event types across four categories: file system, network, process, and kernel.
File System Events¶
| Event Type | Description |
|---|---|
file_write |
A protected process attempted to write secret data to a file on disk. |
proc_write_denied |
A write to /proc was blocked (e.g., attempting to modify another process's environment). |
Network Events¶
| Event Type | Description |
|---|---|
net_send |
A protected process attempted to send data over a network socket to an unexpected destination. |
dns_exfil |
DNS queries that encode secret data in query names (DNS exfiltration). |
zerocopy_exfil |
Attempt to exfiltrate data via zero-copy network operations (sendfile, splice). |
Process Events¶
| Event Type | Description |
|---|---|
proc_exec |
A protected process spawned a child process (potential secret exfiltration via command arguments). |
secret_leak |
Explicit detection of secret material in syscall arguments (file writes, network sends). |
environ_read |
Another process attempted to read the protected process's /proc/pid/environ. |
procmem_read |
Another process attempted to read the protected process's /proc/pid/mem. |
procinfo_read |
Another process read /proc/pid/maps or similar informational files of a protected process. |
ptrace_denied |
A ptrace attach to a protected process was blocked. |
vmreadv_denied |
A process_vm_readv call targeting a protected process was blocked. |
child_fork |
A protected process called fork() or clone() (tracked for process tree monitoring). |
Kernel Events¶
| Event Type | Description |
|---|---|
devmem_denied |
Access to /dev/mem or /dev/kmem was blocked. |
module_load |
A kernel module load was detected on a node running protected pods. |
bpf_load |
A new eBPF program was loaded (potential tampering with CloudTaser's own eBPF programs). |
perf_event_denied |
A perf_event_open call was blocked (prevents performance counter-based side channels). |
iouring_denied |
An io_uring setup was blocked for a protected process (prevents bypassing syscall monitoring). |
userfaultfd_denied |
A userfaultfd setup was blocked (prevents exploitation of page fault handling). |
Event Flow¶
Protected Pod eBPF Agent Platform
│ │ │
│ wrapper registers via gRPC │ │
├─────────────────────────────►│ │
│ │ attach eBPF probes │
│ ├──────┐ │
│ │◄─────┘ │
│ │ │
│ syscall from app process │ │
├─────────────────────────────►│ │
│ │ evaluate against policy │
│ ├──────┐ │
│ │◄─────┘ │
│ │ │
│ (enforce: block syscall) │ report event │
│◄─────────────────────────────┤───────────────────────────►│
│ │ │
DaemonSet Configuration Example¶
ebpf:
image:
repository: europe-docker.pkg.dev/skipops/cloudtaser/ebpf
tag: "v0.1.0"
enforceMode: "detect"
reactiveKill: false
globalPrivescDetect: false
resources:
requests:
cpu: "50m"
memory: "128Mi"
limits:
cpu: "500m"
memory: "512Mi"
tolerations:
- operator: "Exists"
hostPID: true
volumes:
- name: ebpf-sock
hostPath:
path: /var/run/cloudtaser
type: DirectoryOrCreate
- name: bpf-fs
hostPath:
path: /sys/fs/bpf
type: Directory
Privileged access
The eBPF agent requires hostPID: true and CAP_BPF / CAP_PERFMON capabilities (or runs as privileged) to load eBPF programs into the kernel. This is a hard requirement of eBPF-based security tools.
Kernel Requirements¶
The eBPF agent requires a Linux kernel with BPF support. Minimum requirements:
| Feature | Minimum Kernel | Notes |
|---|---|---|
| Core eBPF tracing | 5.4+ | Required for all event types |
bpf_get_current_cgroup_id |
5.7+ | Required for per-pod filtering |
memfd_secret detection |
5.14+ | Required for procmem_read protection of memfd-backed secrets |
io_uring monitoring |
5.15+ | Required for iouring_denied events |
See Kernel Compatibility for a matrix of managed Kubernetes providers and their kernel versions.