Tetragon is a sub-project under Cillium and a proud CNCF project

eBPF-based Security Observability and Runtime Enforcement

Tetragon is a flexible Kubernetes-aware security observability and runtime enforcement tool that applies policy and filtering directly with eBPF, allowing for reduced observation overhead, tracking of any process, and real-time enforcement of policies.

Tech leaders use Tetragon

  • Palantir Logo
  • FRSCA Logo
  • GitHub Logo
  • Bell Logo
  • G Research Logo
  • Ripple Logo
  • Nationwide Logo

Why Tetragon?

  • Minimal Overhead

    eBPF enables deep observability with low performance overhead mitigating risks without the latency introduced by user-space processing.

  • Kubernetes-Aware

    Tetragon extends Cilium's design by recognizing workload identities like namespace and pod metadata, surpassing traditional observability.

  • Simplified Operation

    Tetragon offers pre-defined policy libraries for rapid deployment and operational insight, reducing setup time and complexity at scale.

  • Kernel-level enforcement

    Tetragon blocks malicious activities at the kernel level, closing the window for exploitation without succumbing to TOCTOU attack vectors.

  • Real-time Policy Engine

    Synchronous monitoring, filtering, and enforcement are performed entirely within the kernel using eBPF.

  • Advanced Application Insights

    Tetragon goes beyond traditional monitoring, capturing events like process execution, network communications, and file access.

What can Tetragon do?

Cilium Tetragon is a flexible Kubernetes-aware security observability and runtime

Read the documentation
  • Controlling binary execution (e.g. disallow binary execution from /tmp or allow binaries to be executed)
  • Detect Linux Namespace & Privilege Changes
  • Kubernetes Data Exfiltration
  • File Integrity Monitoring
  • And more!
Jedi-Bee illustration

How does Tetragon work?

Tetragon monitors processes, syscalls, file and network activity in the kernel, correlating threats with network data to identify responsible binaries. It shares insights via JSON logs and a gRPC endpoint.

diagram showing Tetragon architecture and interfaces

How to Install Tetragon?

  • Install Tetragon on Kubernetes Download via helm chart

    Kubernetes

    
                        helm repo add cilium https://helm.cilium.io
                        helm repo update
                        helm install tetragon cilium/tetragon -n kube-system
                        kubectl rollout status -n kube-system ds/tetragon -w
                        

Get hands-on with Tetragon

Practice using Tetragon labs to detect and respond to system activity events, such as process executions, file access, network I/O

Security Bugs

We strongly encourage you to report security vulnerabilities to our private security mailing list: security@cilium.io - first, before disclosing them in any public forums. This is a private mailing list where only members of the Cilium security team are subscribed to, and is treated as top priority.

Report a bug
Jedi Bee sherlock illustration
  • What is a Tracing Policy?

    Tracing Policies define what situations Tetragon should react to...

    • 1
    • 2
    • 3
    Jedi-Bee teacher
  • Showcase Tetragon: Slides for Speakers

    We've created a slide deck for talks, presentations, and demos on Tetragon. Feel free to use it as-is or customize it to fit your specific needs.

    See presentation

Telling the Tetragon Story

Creating an abstract, putting a presentation together, or writing a blog post doesn’t come naturally to everyone. If you are eager to tell your Cilium story and need help, we’re here for you.

Not a native speaker and/or not confident about your writing skills? No worries. Bring the story and we’ll help you tell it in an engaging way.

What do you need help with?