eBPF-based Security Observability and Runtime Enforcement
Cilium’s new Tetragon component enables powerful real-time, eBPF-based Security Observability and Runtime Enforcement.
Tetragon detects and is able to react to security-significant events, such as
When used in a Kubernetes environment, Tetragon is Kubernetes-aware - that is, it understands Kubernetes identities such as namespaces, pods and so on - so that security event detection can be configured in relation to individual workloads.
See more about how Tetragon is using eBPF.
Getting started
Refer to the official documentation of Tetragon.
To get started with Tetragon, take a look at the getting started guides to:
Tetragon is able to observe critical hooks in the kernel through its sensors and generates events enriched with Linux and Kubernetes metadata:
process_exec
and process_exit
events
by default, enabling full process lifecycle observability. Learn more about
these events on the process lifecycle use case page.process_kprobe
, process_tracepoint
and
process_uprobe
events for more advanced and custom use cases. Learn more
about these events on the TracingPolicy concept page
and discover multiple use cases like:
See further resources:
Join the community
Join the Tetragon Slack channel to chat with developers, maintainers, and other users. This is a good first stop to ask questions and share your experiences.
How to Contribute
For getting started with local development, you can refer to the Contribution Guide. If you plan to submit a PR, please "sign-off" your commits.
Twice a month we will interview people behind open source businesses. We will talk about how they are building a business on top of open source projects.
We'll never share your email with anyone else.