The Cequence eBPF Sensor enables you to copy transaction information from your apps running in a Kubernetes environment. A dedicated pod on your Kubernetes node runs the eBPF Sensor, which monitors and copies the API and HTTP traffic from your application pods on that node.
The pod that runs the eBPF Sensor also runs the Cequence Bridge, which transmits the collected copies of the traffic to the Cequence Unified API Protection (UAP) platform. Because the eBPF Sensor is deployed as a Kubernetes DaemonSet, an instance of the eBPF Sensor pod exists on each node in the cluster.
Deployment options
You can deploy the eBPF sensor in Kubernetes, using a Helm chart, or with Docker, using a Docker Compose file. As a best practice, configure the pod that runs the eBPF sensor and the Cequence Bridge with 1 CPU and 256Mb of RAM. Both deployment patterns need a client ID and client Secret to authenticate to the Cequence UAP platform. Once you've generated the client ID and client Secret, proceed to the article for the deployment option you'll use.
Generating a client ID and client Secret
Several Cequence components must authenticate to the Cequence UAP platform in order to transmit and receive data. Create authentication credentials in the Cequence UAP platform to enable this authentication.
- Log in to the UAP management portal UI.
The URL for the management portal is typically of the form https://ui.<your-tenant-name>.<domain>. Replace <your-tenant-name> with the name of your Cequence tenant organization. Replace <domain> with your domain name. - Select General Settings > User Management.
The User Management pane appears. - Click the Clients tab.
- Click Add New Client.
The new client dialog box appears. - Type the client name in the Client Name field.
This name is the client ID. Note the client ID for later use. - Enable the Traffic Management toggle.
- (Optional) To change the token lifespan from the default of 1800 seconds, type a whole number of seconds in Token Lifespan.
- Click Save.
A dialog box with the client secret appears. - Click the blue Copy icon to copy the secret to the clipboard, then click Close.
The client is now set up. Note the client name for future use.
The client list appears. - Note the value of the client secret for later use. This value will not be shown again later on the UI for security reasons.
Supported environments
The eBPF sensor does not universally support all environments. The following table lists environments where the eBPF sensor has been tested or is known to work.
| Environment | Status |
| Kubernetes, including EKS, RKE2, Digital Ocean, and Openshift | Tested |
| Envoy service mesh | Tested |
| Istio gateway, sidecar service, and ambient service mesh | Tested |
| Docker containers | Tested |
| Amazon Linux 2, including Amazon Linux 2 and Amazon Linux 2023 | Known to work |
| Centos release 8 or newer | Known to work |
| Debian release 11 (bullseye) or newer | Known to work |
| Fedora release 38 or newer | Known to work |
| Oracle Linux release 7, release 8 with kernel versions 5.4 or newer | Known to work |
| Red Hat release 8 with kernel version 4.18 or newer | Known to work |
| SuSe release 15.3 or newer | Known to work |
| Managed Kubernetes environments including Amazon EKS, Azure AKS, Google Kubernetes Engine (GKE) releases 5.3, 5.10, and 5.15 or newer | Known to work |
| Minikube and Microk8s | Known to work |