What is Tetragon?#

Cilium Tetragon is a flexible, Kubernetes-aware security tool, with real-time observability and enforcement. Leveraging the power of eBPF, Tetragon offers a low-overhead, in-kernel solution that enhances security posture by monitoring system behaviors such as process executions, system call activities, and both network and file access events.

Tetragon builds on the Kubernetes-native design of Cilium, and extends beyond traditional observability tools by understanding workload identities like namespaces and pods metadata.

In-depth System Monitoring
Track system calls, file accesses, network operations, privilege escalations, and more. Capture detailed metadata about process executions, enabling analysis of network protocols (DNS, TLS, HTTP, and more), providing context for traffic flows and runtime events.
Real-time Policy Enforcement
Deploy eBPF programs to enforce security policies at the kernel level, mitigating risks without the latency introduced by user-space processing. Apply and manage policies easily, allowing for adaptive security measures that reflect dynamic application lifecycles.
Minimal Resource Footprint
Designed to ensure security measures do not degrade application performance, Tetragon stands out for efficiency and low overhead due to eBPF in-kernel filtering and aggregation.

Architecture Overview#

Tetragon policies enable deep, real-time observability and enforcement. Tetragon eBPF sensor sits in the kernel, observing every process execution, syscall, kubectl exec, I/O file activity, and more.

Bring together network and runtime data, with DNS/TLS/HTTP protocol support. Correlate runtime threats with the network activity around it, identifying the exact binaries and processes that spawn specific egress traffic.


Deep dive into the 1.0 Release blog!#

Tetragon exposes its insights through two primary mechanisms: JSON logs and a gRPC endpoint.

Tap into the raw JSON output for exporting and visibility into Tetragon events, including detailed information about executed binaries, arguments, execution times, and Kubernetes metadata, making it invaluable for security analysis and performance operations.
gRPC Endpoint
Tetragon also offers a gRPC endpoint to consume security events directly. Configuration options for the gRPC endpoint, including address and port, can be customized through Helm, providing flexibility for deployment across your environments.

Try it out#

Find the right journey and explore the Tetragon hands-on labs at your own pace!

Getting Started with Tetragon
Install Cilium Tetragon, verify it’s up and running, start identifying security observability events in an attack scenario.
SecOps Engineer
The SecOps Engineer journey takes you through labs featuring Network Policies, Runtime Security with Tetragon, TLS Visibility, Transparent Encryption, Mutual Authentication, Host Firewall, and Egress Gateway.
Tetragon TLS Visibility
Runtime and Network Visibility with Tetragon, deploy a TracingPolicy to gain deeper insight into TLS communications and export to a SIEM in the JSON format.

Use Cases#

Security Visibility
Observe everything in-kernel.
Runtime Security Enforcement
In-kernel enforcement to override values or signal kill proccesses.
Compliance Monitoring
Implement and provide evidence for K8s compliance.

Why Tetragon?#

Built for Kubernetes, Tetragon's identity-aware eBPF approach simplifies comprehensive K8s runtime security.

Security Observability
Beyond traditional logging and monitoring, Tetragon provides insights into the runtime behavior of applications, capturing events like process execution, network communications, and file access.
Kernel-level Enforcement
By operating at the kernel level, Tetragon blocks malicious activities based on policy definitions, effectively closing the window for exploitation without succumbing to traditional TOCTOU attack vectors.
Platform and Operations-Friendly
Kubernetes-native by design, Tetragon is built to integrate with Linux environments, offering policies and dashboards that reduce the burden on highly-scaled environments.
Out-of-the-box Policy Library
Pre-defined, out-of-the-box policy libraries and dashboards facilitate rapid deployment and immediate operational insight, minimizing setup time and complexity.
Compatibility and Support
Isovalent Enterprise for Tetragon extends Tetragon's capabilities to support older kernel versions, enhances L7 capabilities (ex: TLS/SSL parsing) and Tetragon rule converter for existing osquery, Falco, F5, Sentinel rulesets.