Installation Requirements
System Requirements
Before you get started with the installation, make sure you meet the requirements below.
If you encounter issues or have questions, simply message us on Slack, and we’ll gladly help.
Kubernetes RBAC Permissions
To install Kerno, you need permission to deploy the following Kubernetes objects:
StatefulSet
Deployment
DaemonSet (with privileged containers for loading eBPF)
ConfigMap
Secret
PersistentVolumeClaim (PVC)
Kubernetes
Kubernetes v1.21+
is required.
The following tables list Kubernetes environments that have been tested with Kerno.
Kerno may work on other K8s environments. If you find an unlisted K8s environment that works well, please let us know by contacting us.
Production Environments
AKS
Supported
EKS
Supported (includes support on Bottlerocket AMIs)
EKS Fargate
Not Supported (Fargate does not support eBPF)
GKE
Supported
GKE Autopilot
Not Supported (Autopilot does not support eBPF)
OKE
Supported
OpenShift
Supported
kOps
Supported
Self-hosted
Generally supported, see requirements below including Linux kernel version.
Local Development Environments
For local development, we recommend using Minikube with a VM driver (kvm2
on Linux, hyperkit
on Mac). Note that Kubernetes environments that run inside a container are not currently supported.
Docker Desktop
Not supported
Rancher Desktop
Supported for containerd container runtime (not supported for dockerd runtime)
k0s
Supported
k3s
Supported
k3d
Not Supported
kind
Not Supported
minikube with driver=kvm2
Supported
minikube with driver=hyperkit
Supported
minikube with driver=docker
Not supported
minikube with driver=none
Not supported
Kernel Version
Kerno supports Linux kernel version 5.3 or higher (released after 2020).
Run uname -r
on your Linux system to check your kernel version.
Supported Linux Distributions
Distribution
Supported Versions
Debian
11+
RedHat Enterprise Linux
8.2+
Ubuntu
20.10+
CentOS
7.3+
Fedora
31+
BottlerocketOS
1.10+
Amazon Linux
All official AMIs
Google COS
All official AMIs
Azure Linux
All official AMIs
Talos
1.7.3+
Note: Kerno might work on other Linux kernels that are not listed here.
If your distribution isn't listed, please drop us a note on Slack.
Permissions
Loading the eBPF code requires running privileged containers.
Note: eBPF is entirely safe to run. It uses a Verifer to ensure that BPF programs are safe to run, won’t break the kernel in any way, and won’t violate the system's security model.
CO:RE support
Kerno leverages eBPF’s CO-RE (Compile Once - Run Everywhere) capability to ensure compatibility across various Linux kernels and distributions. This requires the kernel to be compiled with BTF (BPF Type Format) information, enabled by setting the CONFIG_DEBUG_INFO_BTF=y
flag during kernel compilation. Most modern Linux distributions now include this by default.
To verify if your kernel supports CO-RE, look for the presence of the BTF file:
If the vmlinux
file is listed, your kernel has CO-RE support enabled.
What if My Kernel Is Not Supported?
If your system does not meet these requirements, Kerno's eBPF agent cannot run in your environment.
Hardware and Resource Requirements
CPU Architectures: Kerno fully supports x86 and ARM processors.
Resources: Kerno's services have resource requests and limits optimized for low overhead. Actual usage depends on cluster activity; more active clusters may require more resources.
Memory
Kerno requires the following memory per node:
1GB
We recommend using no more than 25% of the nodes' total memory for Kerno to accommodate application pods.
Kerno deploys its PEMs as a DaemonSet on your cluster to collect and store telemetry data. The default memory limit is 2Gi per PEM. The lowest recommended value is 1Gi per PEM.
Network Traffic
Kerno's Vizier module sends outgoing HTTPS/2 requests to Kerno's Cloud on port 443.
Your cluster's telemetry data flows through Kerno's Cloud via a reverse proxy as encrypted traffic without persistence. This allows users to access data without being in the same VPC/network as the cluster. Kerno offers end-to-end encryption for telemetry data in flight.
Pod Security Context
Kerno interacts with the Linux kernel to install BPF programs to collect telemetry data. Kerno vizier-pem-* pods require privileged access to install BPF programs.
Last updated