[Tetragon] [Exercise] - Are the kubectl exec logs actually useful #3708
Description
User Need
As a Platform Engineer
I want to be able to find the kubectl exec data in the Tetragon logs easily
so that we have an idea of how useful Tetragon actually is
Context
Following the work to implement Tetragon PoC into integration, we need to assess whether Tetragon is useful (or not). Use this exercise to give us a bit more info so that we can make an informed decision later.
If we adopt Tetragon, here's the ticket to "productionise". That ticket needs to be broken down into smaller tickets.
What’s Needed
List anything the solution must do or be (behaviour, performance, security, UX, etc.).
- One platform engineer
kubectl exec's into a pod in integration and does a bunch of things - Another engineer at the end of the week tracks down and finds out what has actually been
kubectl exec'ed - The second engineer should make a note of the benefits and difficulties in tracking down the commands and present these back to the team at sprint review
- The second engineer should also consider what this process would look like when trying to track down a real threat actor
- The second engineer should report back on their findings and work on an ADR that details their recommendations (in collaboration with the first engineer)
Assumptions (optional)
- Use the EKS cluster audit cloud watch logs to find who and when
- Then correlate this with Tetragon logs to find out what