Tetragon
eBPF-based security observability and runtime enforcement for Kubernetes.
About
Tetragon is a CNCF project from Cilium that uses eBPF to provide deep runtime security observability and enforcement at the kernel level. It can observe and filter system calls, network connections, file access, and process execution with near-zero overhead, and optionally enforce policies to block specific behaviors. It is used in this cluster for runtime security visibility — generating structured events for process execution, file access, and network activity that can be correlated with Kubernetes metadata.
Installation
Architecture
HelmRelease tetragon in namespace kube-system, chart version 1.6.1 from https://helm.cilium.io (same Helm repository as Cilium). Deployed as a DaemonSet. Prometheus ServiceMonitor enabled for both the tetragon agent and tetragon-operator. Talos-specific: extraHostPathMounts adds /sys/kernel/tracing to enable eBPF tracing (Talos mounts the tracefs at a non-standard path accessible only with explicit host mount).
Security
Tetragon requires privileged access to load eBPF programs and read kernel tracing data. The DaemonSet runs with elevated privileges and hostPath mounts to /sys/kernel/tracing. This is inherent to the eBPF security model — Tetragon sits below the container runtime and monitors at the syscall level. TracingPolicy resources define what events to capture and can enforce blocking rules.
Updates
Managed by Renovate. Chart version is semver-pinned (1.6.1).
Administration
Usage
Tetragon emits structured JSON events (process execution, file access, network connections) annotated with Kubernetes pod/namespace metadata. Events can be consumed via the tetra CLI, Prometheus metrics, or forwarded to a SIEM. TracingPolicy CRDs allow defining eBPF-level policies — for example, blocking a process from accessing sensitive files or making unexpected network connections. Monitoring dashboards use the Prometheus metrics exposed via ServiceMonitor.
Metadata
- HelmRelease:
tetragon@1.6.1