Deploying a pod that contains the eBPF sensor and Cequence Bridge uses the Helm utility. You'll also need the client ID and client Secret pair you generated earlier.
Before you start
Confirm that you have access to your Kubernetes cluster with a current version of Helm.
What you'll need
- Credentials to a user account on a host with access to your Kubernetes cluster
- Credentials to the Cequence Helm chart repository. Your Cequence team provides these credentials.
- Access to a text editor on the host you're using for this installation process
- Privileges to create, move, and rename files and directories
- Privileges to set pod capabilities
Items to download
You don't need to download anything for this installation process.
Configure the privileges in your environment
The eBPF Network Sensor operates at the kernel level and requires specific security privileges to function correctly. By default, the sensor is configured with privileged: true for optimal performance and compatibility across all environments.
Default Configuration (Recommended)
The sensor ships with privileged mode enabled by default in the Helm chart:
securityContext: privileged: true
This configuration ensures seamless operation across all Kubernetes distributions and eliminates potential permission-related issues.
Alternative Configuration for Restricted Environments
If your security policies prohibit privileged containers, you can configure the sensor with specific capabilities instead. However, note that this approach may have limitations in certain environments and Kubernetes distributions.
In environments where privileged pods aren't available, configure the following specific set of capabilities.
Required Capabilities
| Capability | Description |
| CAP_SYS_RESOURCE | Manages eBPF maps limits |
|
CAP_BPF+CAP_PERFMON or CAP_SYS_ADMIN |
Used to load and attach eBPF programs |
| CAP_SYS_PTRACE | Enables the collection of information about processes |
| CAP_NET_ADMIN | Enables packet capture |
| CAP_SETPCAP | Reduce bounding set capabilities |
| CAP_SYSLOG | Enables access to kernel symbols through /proc/kallsyms |
| CAP_IPC_LOCK | Only required in Ubuntu environments |
| CAP_SYS_ADMIN | Required in cgroup v1 environments |
To configure these capabilities, open the ebpf-override.yml file in a text editor and add the following lines in the securityContext: section. Use CAP_BPF and CAP_PERFMON together, or CAP_SYS_ADMIN alone, according to the needs of your use case.
securityContext:
capabilities:
add:
- CAP_SYS_RESOURCE
- CAP_SYS_ADMIN
- CAP_SYS_PTRACE
- CAP_NET_ADMIN
- CAP_SETPCAP
- CAP_SYSLOG
- CAP_IPC_LOCKPrepare your environment
Add the Cequence Helm repository to pull the Helm chart you need to install the eBPF sensor.
Run the following commands from a terminal to add the Cequence chart repository and make sure it's up to date.
helm repo add cequence https://cequence.gitlab.io/helm-charts
helm repo update cequenceRun the following command to search for the eBPF sensor's Helm chart.
helm search repo cequence/ebpf-sensorOptionally, and as a best practice, run the following command to create a separate namespace for the eBPF sensor.
kubectl create namespace cequenceSet up Kubernetes secrets
Kubernetes needs credentials to access to the Cequence registry. Run the following command to create the Kubernetes secrets that contain those credentials.
kubectl create secret docker-registry regcred \
--docker-server=registry.gitlab.com \
--docker-username=<username> \
--docker-password=<password> \
--namespace cequenceKubernetes also needs credentials for the Cequence UAP platform. Add the Cequence client secrets by running the following command. Replace <client_id> and <client_secret> with the values of the client ID and client secret you created earlier.
kubectl create secret generic client-credentials \
--from-literal=clientId=<client_id> \
--from-literal=clientSecret=<client_secret> \
-n cequenceSet up the overrides file
A Helm overrides file provides configuration exceptions to the configuration specified in a Helm chart. In a text editor, create a file named ebpf-sensor.yaml. Save the file in the /opt/cequence/ebpf directory.
The following example shows a minimal overrides file. Replace <subdomain> with your Cequence UAP platform subdomain, which will be of the form yourcustomername.cequence.1.cloud for SaaS. You can filter namespaces with the namespaceSelector option. For a default of SaaS based UAP, the value for <realm> would be cequence.
images:
pullSecrets:
- name: regcred
bridge:
uapSubdomain: "<subdomain>"
edgeServer: "edge.<subdomain>"
auth:
secretsRefName: "client-credentials"
tokenUrl: "https://auth.<subdomain>/auth/realms/<realm>/protocol/openid-connect/token"
extraVars:
- "INSTANCE_ID=your-actual-instance-id"
sensor:
# Namespace filtering configuration - uncomment and modify as needed
# namespaceSelector:
# # EXCLUDE mode: Monitor all namespaces EXCEPT the ones listed
# action: "exclude"
# values:
# - "kube-system" # Exclude Kubernetes system namespace
# - "monitoring*" # Exclude all namespaces starting with "monitoring"
# Alternative: INCLUDE mode - Monitor ONLY the namespaces listed
# namespaceSelector:
# action: "include"
# values:
# - "production" # Monitor only production namespace
# - "app-*" # Monitor all namespaces starting with "app-"For GKE, add the following to the above example.
bridge:
server:
port: 9080
sensor:
# For GKE COS support
gkeCos: trueFor eBPF with a service mesh setup, use the following option to ignore the setting of dest-port.
sensor:
# -- Txn Id attribute configuration
txnIdConfig:
# -- Ignore destination port during transaction ID generation
ignoreDstPort: false
# -- Ignore sequence number during transaction ID generation
ignoreSeqNum: falseThe following set of options filter out some traffic to reduce noise. Adjust as required by your use case.
sensor:
trafficFilter:
# -- Ignore node IP traffic
ignoreNodeIpTraffic: true
# -- Ignore link local traffic
ignoreLinkLocalTraffic: true
# -- Ignore loopback traffic
ignoreLoopbackTraffic: false
# -- Log events that are filtered out for debugging purposes
logFilteredEvents: falseThe README file for the Helm chart has detailed information on supported configurations.
Installing the sensor
To install the eBPF sensor, run the following command.
helm install sensor cequence/ebpf-sensor -n cequence --version 2.0.1 -f ebpf-sensor.yamlIf the overrides file name is not ebpf-sensor.yaml, use the actual file name.
Verifying the installation
You can run several Kubernetes management commands to confirm that the container with the Cequence eBPF sensor and Bridge are running properly.
Check all the resources running in the Cequence namespace.
kubectl get all -n cequenceCheck the logs for the Sensor pod and verify there are no errors.
kubectl logs cequence/ebpf-sensor Verify the Cequence Bridge logs to make sure data is captured and being sent to the Cequence UAP platform.
In one of the Sensor pod, Shell into Bridge container
Run command "tail -F /runtime/cequence/sensor/log/connector.log"
Check that its receiving and writting data. Ex
"pipeline: sensor-apiedge-unified, received: 381, filtered out: 325, written: 48"
Things to try in case of problems
You can check the events from a given pod with the get events command.
kubectl get events --sort-by=.metadata.creationTimestampTo test pod connectivity and get a health report, check the health API endpoint with the curl command.
curl http://localhost:8080/healthRemoving the eBPF sensor
To uninstall the eBPF sensor, run the following command.
helm uninstall sensor -n cequence