Home Explore Blog CI



kubernetes
3rd chunk of `content/en/blog/_posts/2017-12-00-Using-Ebpf-In-Kubernetes.md`
9961347e9db3b4a10fd0fb8d4386dbc0dbf1b2c1001cb5090000000100000928
![](https://lh6.googleusercontent.com/47C76UqCrrDr5O8wand6jESyFzx1SP4SQ_jVWiAhN5ctAEefz9e0orgmu0Q_2681QhcxJDfMQbn3HcRZYZN_QiPjKfXMo5Kt6XuXPjRGAoc_j2x7yC_9Un5JIoVt1Aa-DCHl-DUu)  

Weave Scope employs an agent that runs on each node of a cluster. The agent monitors the system, generates a report and sends it to the app server. The app server compiles the reports it receives and presents the results in the Weave Scope UI.  

To accurately draw connections between containers, the agent attaches a BPF program to kprobes that track socket events: opening and closing connections. The BPF program, [tcptracer-bpf](https://github.com/weaveworks/tcptracer-bpf), is compiled into an ELF object file and loaded using [gobpf](https://github.com/iovisor/gobpf).  

(As a side note, Weave Scope also has a plugin that make use of eBPF: [HTTP statistics](https://github.com/weaveworks-plugins/scope-http-statistics).)  

To learn more about how this works and why it's done this way, read [this extensive post](https://www.weave.works/blog/improving-performance-reliability-weave-scope-ebpf/) that the [Kinvolk](https://kinvolk.io/) team wrote for the [Weaveworks Blog](https://www.weave.works/blog/). You can also watch [a recent talk](https://www.youtube.com/watch?v=uTTFUpT0Sfw&list=PLWYdJViL9Eio5o5j4Uth_-Mt0FPrYXNwx) about the topic.  

## Limiting syscalls with seccomp-bpf
Linux has more than 300 system calls (read, write, open, close, etc.) available for use—or misuse. Most applications only need a small subset of syscalls to function properly. [seccomp](https://en.wikipedia.org/wiki/Seccomp) is a Linux security facility used to limit the set of syscalls that an application can use, thereby limiting potential misuse.  

The original implementation of seccomp was highly restrictive. Once applied, if an application attempted to do anything beyond reading and writing to files it had already opened, seccomp sent a `SIGKILL` signal.  

[seccomp-bpf](https://blog.yadutaf.fr/2014/05/29/introduction-to-seccomp-bpf-linux-syscall-filter/) enables more complex filters and a wider range of actions. Seccomp-bpf, also known as seccomp mode 2, allows for applying custom filters in the form of BPF programs. When the BPF program is loaded, the filter is applied to each syscall and the appropriate action is taken (Allow, Kill, Trap, etc.).
Title: Weave Scope's BPF Agent and seccomp-bpf for Syscall Limiting
Summary
This section describes how Weave Scope uses a BPF agent to track TCP connections by attaching to kprobes and monitoring socket events. It then transitions to seccomp-bpf, a Linux security facility, which allows limiting the syscalls an application can use via custom BPF filters, enhancing security by restricting potential misuse.