Skip to main content

rad-runtime

Overview

The rad-runtime plugin is an advanced monitoring tool that uses system-level probes to scrutinize process activities on each node within a Kubernetes cluster. This capability allows RAD to detect and respond to potential security breaches as they occur in real-time.

How It Works

Within each node, the rad-runtime plugin deploys two containers as part of a Daemonset. The first container utilizes an eBPF (Extended Berkeley Packet Filter) probe to monitor system calls and process-level activities. The second container, known as the runtime-reporter, is tasked with interpreting the output from the eBPF container and relaying this information back to RAD, ensuring that potential security incidents are reported promptly.

Configuration

Off by Default: By default, the rad-runtime plugin is not active. To enable it, the following configuration needs to be set in the Helm values file:
runtime:
  enabled: true
Security Context: When operational, the eBPF container requires specific security context capabilities to function correctly, including BPF, SYS_RESOURCE, PERFMON, and SYS_PTRACE. Compatibility: It’s essential to ensure compatibility with the host system’s kernel for the eBPF containers to run effectively. The HelmChart for RAD Plugins is subject to frequent updates, so refer to the RAD Compatibility matrix for the latest information on supported environments. The RAD runtime component has a set of flags that can be modified if needed. To modify the value from the default, add the name as an environment variable and change the value to the desired value.
Environment VariableDefault ValueDescription
DEBUGfalseIf true, the system runs in debug mode
PORT:8000The port for the HTTP server to listen on
For additional configuration options and performance tuning, see the Runtime Performance Overview page.