{"id":13842221,"url":"https://github.com/kube-tarian/tarian","last_synced_at":"2026-03-08T21:09:31.564Z","repository":{"id":37275740,"uuid":"380862476","full_name":"kube-tarian/tarian","owner":"kube-tarian","description":"Protect your Cloud Native Applications running on Kubernetes from malicious attacks with pre-registered source code, pre-registered runtime processes monitoring, automated actions based on configure-actions, analytics, alerting and also sharing detections with community. Maybe save from Ransomware. Shift-Left your threat detection. Shift Right threat elimination.","archived":false,"fork":false,"pushed_at":"2024-12-11T23:58:44.000Z","size":12651,"stargazers_count":54,"open_issues_count":1,"forks_count":12,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-04-09T20:09:40.038Z","etag":null,"topics":["anti-malware","anti-virus","antimalware","antivirus","antivirus-software","cloudnative","containers","devsecops","ebpf","hacktoberfest","kubernetes","kubernetes-antimalware","kubernetes-security","microservices","runtime-security","security","security-hardening","security-tools","shiftleft","tarian"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kube-tarian.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"docs/contributing.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-06-28T00:11:53.000Z","updated_at":"2025-01-05T19:07:59.000Z","dependencies_parsed_at":"2023-02-12T19:16:26.175Z","dependency_job_id":"e549b691-3f02-4448-b282-01a15103a8a0","html_url":"https://github.com/kube-tarian/tarian","commit_stats":{"total_commits":504,"total_committers":6,"mean_commits":84.0,"dds":0.1507936507936508,"last_synced_commit":"8bbca63283a8e4afa9c66adbfb8517bedf5fbc27"},"previous_names":[],"tags_count":53,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kube-tarian%2Ftarian","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kube-tarian%2Ftarian/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kube-tarian%2Ftarian/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kube-tarian%2Ftarian/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kube-tarian","download_url":"https://codeload.github.com/kube-tarian/tarian/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248103871,"owners_count":21048245,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["anti-malware","anti-virus","antimalware","antivirus","antivirus-software","cloudnative","containers","devsecops","ebpf","hacktoberfest","kubernetes","kubernetes-antimalware","kubernetes-security","microservices","runtime-security","security","security-hardening","security-tools","shiftleft","tarian"],"created_at":"2024-08-04T17:01:29.705Z","updated_at":"2026-03-08T21:09:26.526Z","avatar_url":"https://github.com/kube-tarian.png","language":"Go","funding_links":[],"categories":["Go"],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\u003cimg src=\"logo/tarian-new-logo-1.png\" width=\"175\"\u003e\u003c/p\u003e\n\n# Tarian\n\nProtect your applications running on Kubernetes from malicious attacks by pre-registering your trusted processes and trusted file signatures. Tarian will detect unknown processes and changes to the registered files, then it will send alerts and take an automated action. Save your K8s environment from Ransomware!\n\nWe want to maintain this as an open-source project to fight against the attacks on our favorite Kubernetes ecosystem. By continuous contribution, we can fight threats together as a community.\n\n[![Build status](https://img.shields.io/github/workflow/status/kube-tarian/tarian/CI?style=flat)](https://github.com/kube-tarian/tarian/actions)\n[![Go Report Card](https://goreportcard.com/badge/github.com/kube-tarian/tarian)](https://goreportcard.com/report/github.com/kube-tarian/tarian)\n[![codecov](https://codecov.io/gh/kube-tarian/tarian/graph/badge.svg?token=PH8E9ZOVR4)](https://codecov.io/gh/kube-tarian/tarian)\n\n---\n\n**How does Tarian work?**\n\nTarian Cluster Agent runs in Kubernetes cluster detecting unknown processes and unknown changes to files, report them to Tarian Server, and optionally take action: delete the violated pod. It uses eBPF to detect new processes. For file change detection, Tarian Cluster Agent injects a sidecar container in your main application's pod which will check file checksums in the configured path and compare them with the registered checksums in Tarian Server. Tarian will be a part of your Application's pod from dev to prod environment, hence you can register to your Tarian DB what is supposed to be happening \u0026 running in your container + file signatures to be watched + what can be notified + action to take (self destroy the pod) based on changes detected. Shift-left your detection mechanism!\n\n\n**What if an unknown change happens inside the container which is not in Tarian's registration DB, how does Tarian react to it?**\n\nIf an unknown change happens, Tarian can simply notify observed analytics to your Security Team. Then your Security Engineers can register that change in Tarian DB whether it's considered a threat or not. Also, based on their analysis they can configure what action to take when that change happens again.\n\n\n**How does the contribution of community helps to fight against the threats via Tarian?**\n\nAny new detection analyzed \u0026 marked as a threat by your Security Experts, if they choose, can be shared to the open-source Tarian community DB with all the logs, strings to look for, observation, transparency, actions to configure, ... Basically anything the Experts want to warn about \u0026 share with the community. You can use that information as a Tarian user and configure actions in the Tarian app which is used in your environment. This is basically a mechanism to share info about threats \u0026 what to do with them. This helps everyone using Tarian to take actions together in their respective K8s environments by sharing their knowledge \u0026 experience.\n\n\n**What kind of action(s) would Tarian take based on known threat(s)?**\n\nTarian would simply self destroy the pod it's running on. If the malware/virus spreads to the rest of the environment, well you know what happens. So, Tarian is basically designed to help reduce the risk as much as possible by destroying pods. Provisioning a new pod will be taken care of by K8s deployment. Tarian will only do destruction of the pods only if you tell Tarian to do so. If you don't want any actions to happen, you don't have to configure or trigger any; you can simply tell Tarian to just notify you. Tarian basically does what you want to be done to reduce the risk.\n\n\n**Why another new security tool when there are many tools available already, like Falco, Kube-Hunter, Kube-Bench, Calico Enterprise Security, and many more security tools (open-source \u0026 commercial) that can detect \u0026 prevent threats at network, infra \u0026 application level? Why Tarian?**\n\nThe main reason Tarian was born is to fight against threats in Kubernetes together as a community. Another reason was, what if there is still some sophisticated attack which is capable of penetrating every layer of your security, able to reach your runtime app (Remote Code Execution) and your storage volumes, and capable of spreading to damage or lock your infra \u0026 data?! What do you want to do about such attacks, especially which turns into ransomware. Tarian is designed to reduce such risks, by taking action(s). We know that Tarian is not the ultimate solution, but we are confident that it can help reduce risks especially when knowledge is shared continuously by the community. From a technical perspective, Tarian can help reduce the risk by destroying the infected resources.\n\n## Architecture diagram\n\n![Arch. Diagram](./docs/architecture-diagram.png)\n\n## Requirements\n\n- Supported Kubernetes version (currently 1.22+)\n- Kernel version \u003e= 5.8\n- Kernel with [BTF](https://www.kernel.org/doc/html/latest/bpf/btf.html) information to support eBPF CO-RE.\n Some major Linux distributions come with kernel BTF already built in. If your kernel doesn't come with BTF built-in,\n you'll need to build custom kernel. See [BPF CO-RE](https://github.com/libbpf/libbpf#bpf-co-re-compile-once--run-everywhere).\n\n\n### Tested on popular Kubernetes Environments/Services:\n\n| Environment | Working | Notes |\n|----------------------------------------------|--------------------|--------------------------------------------------------------------|\n| Kind v0.14.0 | :heavy_check_mark: | |\n| Minikube v1.26.0 | :heavy_check_mark: | |\n| Linode Kubernetes Engine (LKE) 1.22 | :heavy_check_mark: | |\n| Digital Ocean Kubernetes Engine (DOKS) 1.22 | :heavy_check_mark: | |\n| Google Kubernetes Engine (GKE) 1.22 | :heavy_check_mark: | |\n| Amazon Elastic Kubernetes Engine (EKS) | :heavy_minus_sign: | [kernel \u003c 5.8](https://github.com/awslabs/amazon-eks-ami/pull/862) |\n| Azure Kubernetes Service (AKS) | :heavy_minus_sign: | [kernel \u003c 5.8](https://github.com/Azure/AKS/issues/2883) |\n\n\n### Prepare Namespaces\n\n```bash\nkubectl create namespace tarian-system\n```\n\n### Setup Dgraph Database\n\nYou can use any [Dgraph installation](https://dgraph.io/docs/deploy/kubernetes/) option as long as it can be accessed from the tarian server.\n\n\n### Install tarian\n\n1. Install tarian using Helm\n\n```bash\nhelm repo add tarian https://kube-tarian.github.io/helm-charts\nhelm repo update\n\nhelm upgrade -i tarian-server tarian/tarian-server --devel -n tarian-system --set server.dgraph.address=DGRAPH_ADDRESS:PORT\nhelm upgrade -i tarian-cluster-agent tarian/tarian-cluster-agent --devel -n tarian-system\n```\n\n2. Wait for all the pods to be ready\n\n```bash\nkubectl wait --for=condition=ready pod --all -n tarian-system\n```\n\n3. Apply Dgraph schema\n\n```bash\nkubectl exec -ti deploy/tarian-server -n tarian-system -- ./tarian-server dgraph apply-schema\n```\n### Install tarian using tarianctl cli\nDownload tarianctl bin from github release page.\n\nRun:\n```\ntarianctl install\n```\n\nYou can use following flags to customize your installation.\n\n```\nInstall Tarian on Kubernetes.\n\nUsage:\n tarianctl install [flags]\n\nFlags:\n --agents-values strings Path to the helm values file for Tarian Cluster Agent and Node agent .\n --charts string Path to the tarian helm charts directory.\n --dgraph-values strings Path to the helm values file for DGraph.\n -h, --help help for install\n -n, --namespace string Namespace to install Tarian. (default \"tarian-system\")\n --nats-values strings Path to the helm values file for Nats.\n --server-values strings Path to the helm values file for Tarian Server.\n\nGlobal Flags:\n -k, --kubeconfig string path to the kubeconfig file to use\n -e, --log-formatter string valid log formatters: json, text(default) (default \"text\")\n -l, --log-level string valid log levels: debug, info(default), warn/warning, error, fatal (default \"info\")\n -s, --server-address string tarian server address to communicate with (default \"localhost:50051\")\n -c, --server-tls-ca-file string ca file that server uses for TLS connection\n -t, --server-tls-enabled if enabled, it will communicate with the server using TLS\n -i, --server-tls-insecure-skip-verify if set to true, it will skip server's certificate chain and hostname verification (default true)\n\n```\n## Configuration\n\nSee helm chart values for\n- [tarian-server](https://github.com/kube-tarian/tarian/blob/main/charts/tarian-server/values.yaml)\n- [tarian-cluster-agent](https://github.com/kube-tarian/tarian/blob/main/charts/tarian-cluster-agent/values.yaml)\n\n\n## Cloud / Vendor specific configuration\n\n### Private GKE cluster\n\nPrivate GKE cluster by default creates firewall rules to restrict master to nodes communication only on ports `443` and `10250`.\nTo inject tarian-pod-agent container, tarian uses a mutating admission webhook. The webhook server runs on port `9443`. So, we need\nto create a new firewall rule to allow ingress from master IP address range to nodes on tcp port **9443**.\n\nFor more details, see GKE docs on this topic: [https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters#add_firewall_rules](https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters#add_firewall_rules).\n\n\n## Usage\n\n### Use tarianctl to control tarian-server\n\n1. Download from Github [release page](https://github.com/kube-tarian/tarian/releases)\n2. Extract the file and copy tarianctl to your PATH directory\n3. Expose tarian-server to your machine, through Ingress or port-forward. For this example, we'll use port-forward:\n\n```bash\nkubectl port-forward svc/tarian-server -n tarian-system 41051:80\n```\n\n4. Configure server address with env var\n\n```\nexport TARIAN_SERVER_ADDRESS=localhost:41051\n```\n\n### To see violation events\n\n```bash\ntarianctl get events\n```\n\n### Add a process constraint\n\n```bash\ntarianctl add constraint --name nginx --namespace default \\\n --match-labels run=nginx \\\n --allowed-processes=pause,tarian-pod-agent,nginx \n```\n\n```bash\ntarianctl get constraints\n```\n\n### Add a file constraint\n\n```bash\ntarianctl add constraint --name nginx-files --namespace default \\\n --match-labels run=nginx \\\n --allowed-file-sha256sums=/usr/share/nginx/html/index.html=38ffd4972ae513a0c79a8be4573403edcd709f0f572105362b08ff50cf6de521\n```\n\n```bash\ntarianctl get constraints\n```\n\n### Run tarian agent in a pod\n\nThen after the constraints are created, we inject tarian-pod-agent to the pod by adding an annotation:\n\n```yaml\nmetadata:\n annotations:\n pod-agent.k8s.tarian.dev/threat-scan: \"true\"\n```\n\nPod with this annotation will have an additional container injected (tarian-pod-agent). The tarian-pod-agent container will \ncontinuously verify the runtime environment based on the registered constraints. Any violation would be reported, which would be\naccessible with `tarianctl get events`.\n\n\n### Demo: Try a pod that violates the constraints\n\n```bash\nkubectl apply -f https://raw.githubusercontent.com/kube-tarian/tarian/main/dev/config/monitored-pod/configmap.yaml\nkubectl apply -f https://raw.githubusercontent.com/kube-tarian/tarian/main/dev/config/monitored-pod/pod.yaml\n\n# wait for it to become ready\nkubectl wait --for=condition=ready pod nginx\n\n# simulate unknown process runs\nkubectl exec -ti nginx -c nginx -- sleep 15\n\n# you should see it reported in tarian\ntarianctl get events\n```\n\n## Alert Manager Integration\n\nTarian comes with Prometheus Alert Manager by default. If you want to use another alert manager instance:\n\n```bash\nhelm install tarian-server tarian/tarian-server --devel \\\n --set server.alert.alertManagerAddress=http://alertmanager.monitoring.svc:9093 \\\n --set alertManager.install=false \\\n -n tarian-system\n```\n\nTo disable it, you can set the alertManagerAddress value to empty.\n\n## Troubleshooting\n\nSee [docs/troubleshooting.md](docs/troubleshooting.md)\n\n## Automatic Constraint Registration\n\nWhen tarian-pod-agent runs in registration mode, instead of reporting unknown processes and files as violations, it automatically registers them as a new constraint. This is convenient to save time from registering manually.\n\nTo enable constraint registration, the cluster-agent needs to be configured.\n\n```bash\nhelm install tarian-cluster-agent tarian/tarian-cluster-agent --devel -n tarian-system \\\n --set clusterAgent.enableAddConstraint=true\n```\n\n```yaml\nmetadata:\n annotations:\n # register both processes and file checksums\n pod-agent.k8s.tarian.dev/register: \"processes,files\"\n # ignore specific paths from automatic registration\n pod-agent.k8s.tarian.dev/register-file-ignore-paths: \"/usr/share/nginx/**/*.txt\"\n```\n\nAutomatic constraint registration can also be done in a dev/staging cluster, so that there would be less changes in production.\n\n## Other supported annotations\n\n```yaml\nmetadata:\n annotations:\n # specify how often tarian-pod-agent should verify file checksum\n pod-agent.k8s.tarian.dev/file-validation-interval: \"1m\"\n```\n\n## Securing tarian-server with TLS\n\nTo secure tarian-server with TLS, create a secret containing the TLS certificate. You can create the secret manually,\nor using [Cert Manager](https://cert-manager.io/). Once you have the secret, you can pass the name to the helm chart value:\n\n```\nhelm upgrade -i tarian-server tarian/tarian-server --devel -n tarian-system \\\n --set server.tlsSecretName=tarian-server-tls\n```\n\n## Contributing\n\nSee [docs/contributing.md](docs/contributing.md)\n\n## Code of Conduct\nSee [CODE_OF_CONDUCT.md](CODE_OF_CONDUCT.md)\n\n## CodeOwners \u0026 Maintainers list\nSee [MAINTAINERS.md](MAINTAINERS.md)\n\n## Join our Slack channel \" tarian \"\n[Kube-Tarian-Slack](https://join.slack.com/t/kube-tarian/shared_invite/zt-118iqu4g6-wopEIyjqD_uy5uXRDChaLA)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkube-tarian%2Ftarian","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkube-tarian%2Ftarian","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkube-tarian%2Ftarian/lists"}