Tetragon
EBPF-based Security Observability and Runtime Enforcement tool that detects and reacts to security events like process execution, system calls, and I/O activity. Kubernetes-aware for workload-specific security event detection.
Description
Tetragon is Cilium’s eBPF-based component for powerful realtime Security Observability and Runtime Enforcement. It detects security-significant events including process execution, system call activity, and I/O activity such as network and file access. The tool enables reaction to these events for enhanced security monitoring.
In Kubernetes environments, Tetragon understands Kubernetes identities like namespaces and pods, allowing security event detection to be configured relative to individual workloads. This makes it particularly useful for containerized and cloud-native security observability.
The package provides the tetra CLI for interacting with Tetragon's functionality.
How It Works
Tetragon leverages eBPF (extended Berkeley Packet Filter) for realtime security observability and runtime enforcement. It monitors low-level system events such as process execution, system calls, network activity, and file I/O. In Kubernetes, it integrates with cluster identities (namespaces, pods) for context-aware event detection and response via gRPC server communication.
Installation
sudo apt install tetragonFlags
Examples
tetra -htetra bugtooltetra completiontetra critetra geteventstetra logleveltetra probetetra stacktrace-tree