The CNCF landscape offers various eBPF-based security tools like Falco, Tetragon, and KubeArmor to secure Kubernetes clusters. While they seem similar, choosing the right one can be challenging. Join this session for insights from our extensive benchmarks, covering key questions: features, performance impact, required privileges, and pros/cons of each solution. Gain clarity to select the best fit for your needs!
Taking control of our cluster always starts by taking control of a single container. Because our containers are technically a process running on our worker node, we are usually assigning to our workload limited permissions to avoid having a process discovering any useful information that could help an attacker. But similar to a thief, any security system has a weakness that is the reason we need to have “sensors” to detect suspicious movement in our cluster to react and limit the risk of being stolen. IN the CNCF landscape there are currently several solution helping us to limit the risks : Falco, Tetragon , Kubearmor… In this competitive runtime security landscape, the community is grappling with a common dilemma: Which solutions should i utilize? To address this question comprehensively, a benchmark has been conducted, and the results will be shared with the community. The benchmark's focus is narrowed down to three key aspects:
The type of permissions required to run each solutions The experience when configuring those solutions the Type of information shared by the event raised The feature covered by the solution and last the ressource usage of each solution The benchmark will utilize a vunerable applications deployed in a cluster , and use a container that will try to run suspicious commands.
After this presentation, attendees should gain a distinct understanding of the comparison between Flaco, Tetragon and Kubearmor, focusing on:
The configuration The performance behavior The type of information provided the feature covered by the solutions The complete benchmark will be accessible on GitHub. This allows the community to delve into the numerical data following the presentation.