Evaluating the performance of eBPF-based security software in a virtualized 5G cluster

Since the arrival of 5G technology there has been a shift towards virtualization and use of containers instead of bare-metal machines. A huge part of what made this possible is the use of Kubernetes to deploy and manage a huge cluster of machines that put together enable a 5G network to function. While the cluster can run smoothly and without break there is a severe need for strong security measures without which we would have frequent attacks that could hinder the availability of our network. Tetragon is one of these security measures that provides strong observability and enforcement capabilities to strengthen the security of our cluster. Through the use of eBPF it is not only fast but it also uses as little resources as possible to accomplish its goal. Studying this tool we are able to determine if it can be deployed inside our 5G network and it is good enough to cover as many security use cases as possible. At first we focused on simply learning how to best use Tetragon and how it works at a low level, leveraging eBPF and having access to Linux syscalls and the network layer for extensive monitoring. Later on we tried to utilize Tetragon and create demonstrations that would simulate its usage inside our network, deciding wether or not it would be feasible to use it inside a production environment. After extensive research and testing, while there are plenty of good use cases for Tetragon there are just as many more that need further support from machine learning to properly detect a certain class of events.