Isovalent has announced the 1.0 release of Cilium Tetragon, their eBPF-based Kubernetes security observability and runtime enforcement tool. Policies and filters can be applied directly via eBPF to monitor process execution, privilege escalations, and file and network activity.
Tetragon can be used to perform security and runtime enforcement. It is Kubernetes-aware and understands Kubernetes concepts such as namespaces and pods. Tetragon can be deployed into Kubernetes clusters using Helm. Tetragron generates process_exec and process_exit events by default and can generate process_kprobe, process_tracepoint, and process_uprobe events for more advanced use cases.
The 1.0 release brings stability and performance improvements to Tetragon. The main focus of the release was to substantially minimize the performance overhead of running Tetragon. Thomas Graf, CTO of Isovalent, notes that in a worst-case benchmark test "with Tetragon process execution tracking adding a minimal 1.68% overhead and only 2.46% overhead when also writing all process execution events as JSON to disk." Graf notes that this test was performed by building the 6.1.13 Linux kernel to generate a substantially higher event volume than standard use cases.
The release also adds a library of default observability policies. These policies cover scenarios such as monitoring kernel module loads, detection of binary execution within /tmp, audit logging of connections initiated or accepted by sshd, and tracking sudo invocations. Applying a policy can be done using kubectl:
kubectl apply https://raw.githubusercontent.com/cilium/tetragon/main/examples/policylibrary/modules.yaml
Policies can be used as is or be used as templates or best practice guides. Graf notes that the policies provide examples of "best-practice jq filters to format the raw logs in a way that is useful for the particular use case". Tetragon leverages jq which is a lightweight command-line JSON processor.
Tetragon provides labels and namespace filters in eBPF allowing for efficient filtering on Kubernetes metadata and policy application against specific Kubernetes workloads. The following policy snippet monitors the setuid() system call and logs any call to it where the process is running within a Kubernetes pod with the label app=sensitive-workload:
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: "monitoring-gaining-root-access-on-sensitive-workloads"
spec:
podSelector:
matchLabels:
app: "sensitive-workload"
kprobes:
- call: "sys_setuid"
syscall: true
args:
- index: 0
type: "int"
returnArg:
index: 0
type: "int"
returnArgAction: "Post"
When matching actions are detected, Tetragon generates events that can be reviewed via the Tetragon CLI or passed into an SIEM for additional analysis.
eBPF is steadily gaining ground as a tool for powering observability and security tooling. Some open-source alternatives using eBPF for observability and security monitoring include Pixie, Inspektor Gadget, Coroot, parca, Granfa Beyla, and the OpenTelemetry eBPF project.
Tetragon is open-source under the Apache-2.0 license and available on GitHub. More details on the 1.0 release can be found on the Isovalent blog.