← Back to all projects

Project / 2026

KCD Security Observability Demo

A Kubernetes security observability demo built for my KCD Guadalajara talk, showing how Cilium Tetragon and eBPF can detect, correlate, and block an attack in real time.

This project was built as the technical foundation for my KCD Guadalajara talk. The goal was to show a full Kubernetes intrusion flow in a way that was realistic enough for a serious security demo, but still simple to deploy on a single-node k3s cluster.

Instead of relying only on application logs or HTTP-layer visibility, the demo focuses on kernel-level telemetry. With Cilium Tetragon and eBPF, the important attacker actions become visible where they actually happen: process execution, sensitive file access, ServiceAccount token reads, and outbound connections to a simulated command-and-control server.

Outcome Snapshot
  • Presented as part of my KCD Guadalajara talk.
  • Demonstrated how kernel telemetry improves visibility inside Kubernetes workloads.
  • Showed end-to-end correlation across eBPF events, logs, metrics, and traces.
  • Turned a security demo into a reproducible lab that can be redeployed on demand.

Attack Flow

The demo uses an intentionally vulnerable Flask application running inside Kubernetes and walks through a controlled compromise chain. The sequence includes command injection, path traversal, ServiceAccount token theft, and exfiltration toward a simulated C2 endpoint.

Each step is designed to produce a clear detection signal. That makes the project effective both as a teaching artifact and as a technical proof that kernel telemetry can explain attacker behavior with much better precision than surface-level logging alone.

  • Command injection leading to unexpected binary execution inside the container.
  • Path traversal used to reach sensitive files such as /etc/passwd.
  • ServiceAccount token access to simulate in-cluster credential theft.
  • Outbound connection attempts to represent exfiltration and C2 traffic.

Security Observability Stack

The environment correlates eBPF events, application logs, metrics, and traces inside a single observability flow. Grafana, Loki, Prometheus, and Tempo provide the cross-layer context needed to follow one malicious action from the HTTP request that triggered it down to the kernel event captured by Tetragon.

That correlation is one of the strongest parts of the demo. It does not just prove that an event happened. It shows what request triggered it, what process executed, what file was touched, and what network behavior followed.

  • Tetragon captures kernel-level process, file, and network events.
  • Loki aggregates both Tetragon JSON output and application logs.
  • Prometheus and Tempo add metrics and distributed tracing context.
  • Grafana ties the whole incident flow into a single dashboard.

Response and Reproducibility

The repo includes an idempotent setup script for provisioning the VPS, installing k3s, deploying Tetragon, building the vulnerable application, and optionally bringing up the full observability stack. It also ships the tracing and enforcement policies required for the live demo.

A final Tetragon enforcement policy can terminate the malicious process with SIGKILL before the exfiltration attempt completes. That turns the demo from passive visibility into active response and makes the security story much stronger on stage.

  • Single-node Ubuntu and k3s deployment for a reproducible lab.
  • TracingPolicies for attacker process, file, and network behavior.
  • Optional full observability stack for logs, metrics, and traces.
  • Live enforcement that blocks the final malicious connection.