Articles

Detect Runtime Threats in Kubernetes with Cilium Tetragon (2026)

April 16, 2026 3 min read

Cilium Tetragon can detect runtime threats in Kubernetes by observing and filtering system calls.

Let’s see Tetragon in action. Imagine you have a pod running a web server, and you want to ensure it doesn’t try to exec into another container. Here’s a simplified cilium-policy that would detect and alert on such an event:

apiVersion: cilium.io/v1alpha1
kind: CiliumNetworkPolicy
metadata:
  name: deny-exec-from-webserver
spec:
  endpointSelector:
    matchLabels:
      app: webserver
  egress:
  - toPorts:
    - ports:
      - port: "0" # Any port
        protocol: ANY
    # This is where the magic happens:
    toProcesses:
      - matchArgs:
        - execve
        # This is a simplified example, real-world might need more specific process names
        # or paths to avoid false positives.
      - matchName:
        - "sh"
        - "bash"
        - "powershell"
    action: Deny

When a pod labeled app: webserver attempts to execute a shell process like sh or bash within another pod, Tetragon, acting as the policy enforcement point, will intercept this system call. It will then trigger an alert, which can be configured to be sent to various backends like Kafka, Elasticsearch, or a simple stdout log. This allows you to immediately know that a potentially malicious action is being attempted.

Tetragon’s power comes from its ability to hook into the Linux kernel’s ptrace mechanism. Unlike traditional security solutions that might rely on log analysis or network traffic inspection, Tetragon operates at the syscall level. This means it sees everything a process does, from file access and network connections to process creation and execution.

The core problem Tetragon solves is providing deep visibility into the behavior of your applications inside the container, in real-time. Kubernetes abstracts away the underlying OS, but threats often exploit OS-level vulnerabilities. Tetragon bridges this gap by bringing kernel-level observability into your Kubernetes environment.

Here’s how it works internally:

  1. eBPF Programs: Tetragon leverages eBPF (extended Berkeley Packet Filter) programs that are attached to specific kernel tracepoints or kprobes. These eBPF programs are lightweight and run directly in the kernel.
  2. Syscall Interception: When a process within a Kubernetes pod makes a syscall (e.g., execve, open, connect), the attached eBPF program is triggered.
  3. Event Generation: The eBPF program inspects the syscall arguments and context. If the event matches a defined Tetragon policy, it generates an event.
  4. Userspace Agent: This event is then sent to the Tetragon userspace agent running on the Kubernetes node.
  5. Policy Enforcement & Alerting: The Tetragon agent processes these events, enforces defined policies (e.g., deny, alert), and forwards relevant information to configured output destinations.

The exact levers you control are primarily through the cilium.io/v1alpha1 CiliumNetworkPolicy and its toProcesses field. You can specify matchName for process executables, matchArgs for command-line arguments, and matchPath for file paths. You can also define matchRegex for more complex pattern matching on arguments or paths. The action field can be set to Deny (which prevents the action and logs it) or Audit (which only logs it).

When you write policies, you’re essentially defining what "normal" or "allowed" behavior looks like for your applications at the syscall level. Anything that deviates from this, especially actions that could indicate compromise (like unexpected process execution, sensitive file access, or network connections to unusual destinations), is flagged.

What most people don’t realize is that Tetragon policies can be incredibly granular, extending beyond just process execution. You can monitor for specific file reads or writes, network socket operations, and even PTRACE calls, which are often used by attackers to attach to and manipulate other processes. For example, to detect if a process tries to ptrace another process, you’d create a policy targeting the ptrace syscall:

apiVersion: cilium.io/v1alpha1
kind: CiliumNetworkPolicy
metadata:
  name: deny-ptrace
spec:
  endpointSelector: {} # Applies to all endpoints
  egress:
  - toProcesses:
    - matchName: "ptrace"
    action: Deny

This policy, when applied, will prevent any process from initiating a ptrace call and will generate an alert. This is crucial because malware often uses ptrace to inject code into legitimate processes or to steal credentials.

The next step after implementing runtime threat detection is often configuring advanced network segmentation using Cilium’s broader capabilities.

Want structured learning?

Take the full Cilium course →