Installation Requirements

System Requirements

Before you get started with the installation, make sure you meet the requirements below.

If you encounter issues or have questions, simply message us on Slack, and we’ll gladly help.

Kubernetes RBAC Permissions

To install Kerno, you need permission to deploy the following Kubernetes objects:

  • StatefulSet

  • Deployment

  • DaemonSet (with privileged containers for loading eBPF)

  • ConfigMap

  • Secret

  • PersistentVolumeClaim (PVC)

Kubernetes

Kubernetes v1.21+ is required.

The following tables list Kubernetes environments that have been tested with Kerno.

Kerno may work on other K8s environments. If you find an unlisted K8s environment that works well, please let us know by contacting us.

Production Environments

Local Development Environments

For local development, we recommend using Minikube with a VM driver (kvm2 on Linux, hyperkit on Mac). Note that Kubernetes environments that run inside a container are not currently supported.

Kernel Version

Kerno supports Linux kernel version 5.3 or higher (released after 2020).

Run uname -r on your Linux system to check your kernel version.

Supported Linux Distributions

Note: Kerno might work on other Linux kernels that are not listed here.

If your distribution isn't listed, please drop us a note on Slack.

Permissions

  • Loading the eBPF code requires running privileged containers.

Note: eBPF is entirely safe to run. It uses a Verifer to ensure that BPF programs are safe to run, won’t break the kernel in any way, and won’t violate the system's security model.

CO:RE support

Kerno leverages eBPF’s CO-RE (Compile Once - Run Everywhere) capability to ensure compatibility across various Linux kernels and distributions. This requires the kernel to be compiled with BTF (BPF Type Format) information, enabled by setting the CONFIG_DEBUG_INFO_BTF=y flag during kernel compilation. Most modern Linux distributions now include this by default.

To verify if your kernel supports CO-RE, look for the presence of the BTF file:

$ ls -la /sys/kernel/btf/vmlinux

- r--r--r--. 1 root root 3541561 Jun 2 18:16 /sys/kernel/btf/vmlinux

If the vmlinux file is listed, your kernel has CO-RE support enabled.

What if My Kernel Is Not Supported?

  • If your system does not meet these requirements, Kerno's eBPF agent cannot run in your environment.


Hardware and Resource Requirements

  • CPU Architectures: Kerno fully supports x86 and ARM processors.

  • Resources: Kerno's services have resource requests and limits optimized for low overhead. Actual usage depends on cluster activity; more active clusters may require more resources.

Memory

Kerno requires the following memory per node:

Kerno deploys its PEMs as a DaemonSet on your cluster to collect and store telemetry data. The default memory limit is 2Gi per PEM. The lowest recommended value is 1Gi per PEM. For more information on configuring Kerno's memory usage, see the Tuning Memory Usage page.

Network Traffic

Kerno's Vizier module sends outgoing HTTPS/2 requests to Kerno's Cloud on port 443.

Your cluster's telemetry data flows through Kerno's Cloud via a reverse proxy as encrypted traffic without persistence. This allows users to access data without being in the same VPC/network as the cluster. Kerno offers end-to-end encryption for telemetry data in flight.

Pod Security Context

Kerno interacts with the Linux kernel to install BPF programs to collect telemetry data. Kerno vizier-pem-* pods require privileged access to install BPF programs.

Last updated