Installation Requirements

System Requirements

Before you get started with the installation, make sure you meet the requirements below.

If you encounter issues or have questions, simply message us on Slack, and we’ll gladly help.

Kubernetes RBAC Permissions

To install Kerno, you need permission to deploy the following Kubernetes objects:

  • StatefulSet

  • Deployment

  • DaemonSet (with privileged containers for loading eBPF)

  • ConfigMap

  • Secret

  • PersistentVolumeClaim (PVC)

Kubernetes

Kubernetes v1.21+ is required.

The following tables list Kubernetes environments that have been tested with Kerno.

Kerno may work on other K8s environments. If you find an unlisted K8s environment that works well, please let us know by contacting us.

Production Environments

Kubernetes environment
Support

AKS

Supported

EKS

Supported (includes support on Bottlerocket AMIs)

EKS Fargate

Not Supported (Fargate does not support eBPF)

GKE

Supported

GKE Autopilot

Not Supported (Autopilot does not support eBPF)

OKE

Supported

OpenShift

Supported

kOps

Supported

Self-hosted

Generally supported, see requirements below including Linux kernel version.

Local Development Environments

For local development, we recommend using Minikube with a VM driver (kvm2 on Linux, hyperkit on Mac). Note that Kubernetes environments that run inside a container are not currently supported.

Kubernetes environment
Support

Docker Desktop

Not supported

Rancher Desktop

Supported for containerd container runtime (not supported for dockerd runtime)

k0s

Supported

k3s

Supported

k3d

Not Supported

kind

Not Supported

minikube with driver=kvm2

Supported

minikube with driver=hyperkit

Supported

minikube with driver=docker

Not supported

minikube with driver=none

Not supported

Kernel Version

Kerno supports Linux kernel version 5.3 or higher (released after 2020).

Run uname -r on your Linux system to check your kernel version.

Supported Linux Distributions

Distribution

Supported Versions

Debian

11+

RedHat Enterprise Linux

8.2+

Ubuntu

20.10+

CentOS

7.3+

Fedora

31+

BottlerocketOS

1.10+

Amazon Linux

All official AMIs

Google COS

All official AMIs

Azure Linux

All official AMIs

Talos

1.7.3+

Note: Kerno might work on other Linux kernels that are not listed here.

If your distribution isn't listed, please drop us a note on Slack.

Permissions

  • Loading the eBPF code requires running privileged containers.

Note: eBPF is entirely safe to run. It uses a Verifer to ensure that BPF programs are safe to run, won’t break the kernel in any way, and won’t violate the system's security model.

CO:RE support

Kerno leverages eBPF’s CO-RE (Compile Once - Run Everywhere) capability to ensure compatibility across various Linux kernels and distributions. This requires the kernel to be compiled with BTF (BPF Type Format) information, enabled by setting the CONFIG_DEBUG_INFO_BTF=y flag during kernel compilation. Most modern Linux distributions now include this by default.

To verify if your kernel supports CO-RE, look for the presence of the BTF file:

$ ls -la /sys/kernel/btf/vmlinux

- r--r--r--. 1 root root 3541561 Jun 2 18:16 /sys/kernel/btf/vmlinux

If the vmlinux file is listed, your kernel has CO-RE support enabled.

What if My Kernel Is Not Supported?

  • If your system does not meet these requirements, Kerno's eBPF agent cannot run in your environment.


Hardware and Resource Requirements

  • CPU Architectures: Kerno fully supports x86 and ARM processors.

  • Resources: Kerno's services have resource requests and limits optimized for low overhead. Actual usage depends on cluster activity; more active clusters may require more resources.

Memory

Kerno requires the following memory per node:

Minimum
Note

1GB

We recommend using no more than 25% of the nodes' total memory for Kerno to accommodate application pods.

Kerno deploys its PEMs as a DaemonSet on your cluster to collect and store telemetry data. The default memory limit is 2Gi per PEM. The lowest recommended value is 1Gi per PEM.

Network Traffic

Kerno's Vizier module sends outgoing HTTPS/2 requests to Kerno's Cloud on port 443.

Your cluster's telemetry data flows through Kerno's Cloud via a reverse proxy as encrypted traffic without persistence. This allows users to access data without being in the same VPC/network as the cluster. Kerno offers end-to-end encryption for telemetry data in flight.

Pod Security Context

Kerno interacts with the Linux kernel to install BPF programs to collect telemetry data. Kerno vizier-pem-* pods require privileged access to install BPF programs.

Last updated