Tetragon is an eBPF-based security observability and runtime enforcement tool that provides real-time detection and reaction to security-significant events on Linux and Kubernetes environments.
eBPF-based Security Observability and Runtime Enforcement
Tetragon is primarily used by security operations teams to monitor and enforce security policies at the endpoint and network level in real time. It enables detection of critical system events such as process execution, system calls, and I/O activity, making it ideal for Kubernetes workloads and Linux hosts to enhance runtime security and observability.
Tetragon requires Linux kernel support for eBPF and is optimized for Kubernetes environments but also supports standalone Linux hosts. Users should ensure kernel compatibility and appropriate permissions for eBPF programs. Leveraging Kubernetes metadata enhances observability and policy enforcement granularity. Participation in the community Slack and calls is recommended for support and updates.
Refer to the official documentation at https://tetragon.io/docs/
Try Tetragon on Kubernetes by following the guide at https://tetragon.io/docs/getting-started/install-k8s/
Try Tetragon on Linux using Docker as per https://tetragon.io/docs/getting-started/install-docker/
Deploy Tetragon by following the installation instructions at https://tetragon.io/docs/installation/
Install the Tetra CLI tool via https://tetragon.io/docs/installation/tetra-cli/tetragon-cli
Command-line interface to interact with Tetragon for querying and managing security events
kubectl apply -f tetragon.yaml
Deploy Tetragon in a Kubernetes cluster
tetragon-cli observe process_exec
Observe process execution events in real time
tetragon-cli observe process_exit
Observe process exit events
tetragon-cli trace --kprobe <function>
Set up generic tracing using kprobes for custom use cases