Skip to main content

Workload Configuration

In order to instrument Google Cloud Run workloads the Upwind Tracer will need to be utilized.

Configuring a workload to be instrumented with the tracer requires embedding the tracer as part of the container image directly at build time.

An additional requirement for Cloud Run workloads is that execution environment gen2 is selected in order to be able to utilize ptrace efficiently.

resource "google_cloud_run_v2_service" "workload" {
  template {
    execution_environment = "EXECUTION_ENVIRONMENT_GEN2"
  }
}

Add the Upwind Tracer to your Dockerfile

This step involves

  1. Adding a build stage.
  2. Copying the Upwind Sensor binary into the workload image.
  3. Setting up the entrypoint to run the tracer and then have the tracer execute your application.

Below is a simple example of a Dockerfile with these additions:

# syntax=docker/dockerfile:1

# (1) Add the Upwind Tracer image as a build stage.
FROM public.ecr.aws/upwindsecurity/images/tracer:0.3.1 AS upwind-tracer

# (2) Copy the Upwind Tracer binary from the build stage into your workload image.
FROM workload-image

COPY --from=upwind-tracer /var/lib/upwind /var/lib/upwind

# (3) Set the default entrypoint to the Upwind Tracer, and pass the path
# to your application so the tracer can invoke it.
ENTRYPOINT ["/var/lib/upwind/upwind-tracer", "/path/to/your/app"]

Build and Push Image

After defining and creating your image, you need to push it to Artifact Registry or another supported registry and use it in a Cloud Run Service or Function. See the documentation for Google Cloud Run here.

Configure Tracer to Cluster Manager communication

The tracer pushes telemetry to the Upwind Cluster Manager via a gRPC connection. In order to configure the tracer a pair of environment variables need to be set on the workload service or job definition.

env {
  name  = "UPWIND_TRACER_API_HOST"
  value = "{CLUSTER_MANAGER_URI}"
}

env {
  name  = "UPWIND_TRACER_EXTENDED_SYSCALLS"
  value = "true"
}

The value for the UPWIND_TRACER_API_HOST variable can fetched by consuming the output variable upwind_cluster_manager_uri from the Terraform integration, see the output variables here. It is the domain name of the Cluster Manager Cloud Run service, which can be viewed in the Google Cloud Console in the service details for the Cluster Manager service.

In order for the tracer to identify layer 7 traffic (including HTTP requests) in Google Cloud Run, the tracer must monitor an extended set of syscalls, which is enabled by setting the UPWIND_TRACER_EXTENDED_SYSCALLS variable to true.