Tetragon — eBPF-Based Security Observability for Kubernetes

Introduction

Tetragon is a CNCF runtime security and observability tool built on eBPF by the Cilium team. It hooks directly into the Linux kernel to monitor process execution, file access, network connections, and privilege escalation — all without modifying application code or using kernel modules. Tetragon enables security teams to detect and block threats in real time at the kernel level.

What Tetragon Does

• Monitors process lifecycle events (exec, exit, signals) across all pods and nodes
• Tracks file access and modifications with full path and process context
• Observes network connections with source, destination, and protocol details
• Enforces runtime security policies that can block malicious actions in-kernel
• Exports events to JSON, gRPC, or integrations like Elasticsearch and Splunk

Architecture Overview

Tetragon runs as a DaemonSet on each Kubernetes node. It loads eBPF programs into the kernel that attach to tracepoints and kprobes for process, file, and network events. TracingPolicy CRDs define what to observe and what to enforce. Events flow from the kernel through a perf ring buffer to the Tetragon agent in user space, which enriches them with Kubernetes metadata (pod name, namespace, labels) before exporting. Enforcement actions (SIGKILL, signal override) execute in-kernel for sub-microsecond response times.

Self-Hosting & Configuration

• Deploy via Helm chart into any Kubernetes cluster running Linux 5.4+ kernels
• Define TracingPolicy CRDs to monitor specific syscalls, file paths, or binaries
• Export events to stdout (JSON), gRPC endpoint, or Hubble for centralized collection
• Configure resource limits for the DaemonSet based on cluster size and event volume
• Works alongside Cilium CNI but does not require it — Tetragon is standalone

Key Features

• Zero-instrumentation observability powered by eBPF kernel hooks
• In-kernel enforcement blocks threats before they reach user space
• Kubernetes-aware event enrichment with pod, namespace, and label context
• TracingPolicy CRDs for declarative security policy as code
• Low overhead — eBPF programs run in kernel space with minimal CPU impact

Comparison with Similar Tools

• Falco — eBPF/syscall-based detection but primarily alerting, limited in-kernel enforcement
• Sysdig — commercial runtime security with broader platform but closed source
• Seccomp profiles — kernel filtering but static and hard to manage at scale
• AppArmor / SELinux — mandatory access control but complex policy authoring

FAQ

Q: Does Tetragon require Cilium CNI? A: No, Tetragon runs standalone on any Kubernetes cluster. Cilium integration adds network policy context but is optional.

Q: What kernel version is required? A: Tetragon requires Linux kernel 5.4 or later for full eBPF feature support.

Q: Can Tetragon block malicious processes? A: Yes, TracingPolicy actions can send SIGKILL or override return values to block processes in-kernel.

Q: How does Tetragon compare to audit logging? A: Tetragon provides richer context (Kubernetes metadata, process trees) and can enforce policies, while auditd only logs.

Sources

• https://github.com/cilium/tetragon
• https://tetragon.io