As Kubernetes adoption continues to explode, the threat actors working on attacks are growing
in sophistication. Simple mitigations and security best practices are no longer sufficient alone to
protect production workloads. While tools like vulnerability scanning, signed container images,
and distroless containers help, constant monitoring must take place in a running environment to
ensure it remains safe from compromise.
eBPF, an emerging Linux kernel technology, provides us unique visibility directly into any
Kubernetes pod. Because pods on a node share a single kernel, a single eBPF program has full
visibility to the entire node’s workloads. We’ll show how using such a program gives us the
network and process-level visibility to detect and block a live sophisticated in-memory attack on
our cluster. We’ll finish by showcasing how security teams can easily put these same tools to
use to protect their critical Kubernetes environments from threats.