> ## Documentation Index
> Fetch the complete documentation index at: https://docs.rad.security/llms.txt
> Use this file to discover all available pages before exploring further.

# rad-runtime

> RAD Runtime plugin for advanced monitoring using eBPF system-level probes

## Overview

The rad-runtime plugin is an advanced monitoring tool that uses system-level probes to scrutinize process activities on each node within a Kubernetes cluster. This capability allows RAD to detect and respond to potential security breaches as they occur in real-time.

## How It Works

Within each node, the rad-runtime plugin deploys two containers as part of a Daemonset. The first container utilizes an eBPF (Extended Berkeley Packet Filter) probe to monitor system calls and process-level activities. The second container, known as the runtime-reporter, is tasked with interpreting the output from the eBPF container and relaying this information back to RAD, ensuring that potential security incidents are reported promptly.

## Configuration

<Note>
  **Off by Default**: By default, the rad-runtime plugin is not active. To enable it, the following configuration needs to be set in the Helm values file:

  ```yaml theme={null}
  runtime:
    enabled: true
  ```
</Note>

**Security Context:** When operational, the eBPF container requires specific security context capabilities to function correctly, including BPF, SYS\_RESOURCE, PERFMON, and SYS\_PTRACE.

**Compatibility:** It's essential to ensure compatibility with the host system's kernel for the eBPF containers to run effectively. The HelmChart for RAD Plugins is subject to frequent updates, so refer to the RAD Compatibility matrix for the latest information on supported environments.

The RAD runtime component has a set of flags that can be modified if needed. To modify the value from the default, add the name as an environment variable and change the value to the desired value.

| Environment Variable | Default Value | Description                               |
| -------------------- | ------------- | ----------------------------------------- |
| DEBUG                | false         | If true, the system runs in debug mode    |
| PORT                 | :8000         | The port for the HTTP server to listen on |

For additional configuration options and performance tuning, see the [Runtime Performance Overview](/rad-security/integrations/runtime-performance-overview) page.