Tetragon doesn’t just watch what processes do; it watches why they do it, by hooking into the kernel’s most intimate secrets.
Let’s see Tetragon in action, sniffing out a suspicious exec call. Imagine you’ve got a Kubernetes cluster and you want to know whenever a pod tries to execute /bin/bash directly, which is often a sign of an attempted escape or lateral movement.
Here’s a Tetragon policy in YAML:
apiVersion: cilium.io/v1alpha1
kind: TetragonPolicy
metadata:
name: detect-bash-exec
spec:
message: "Suspicious /bin/bash execution detected in pod {pod_name} (namespace {pod_namespace})"
rules:
- syscall:
name: execve
match:
args:
- index: 0
match:
type: String
literal: /bin/bash
திராட்சை:
- syscall:
name: execve
action: Allow
This policy defines a rule that triggers when the execve syscall is called and its first argument (the program path) is exactly /bin/bash. The திராட்சை section specifies what to do when the rule matches. In this case, it allows the syscall but also logs a custom message containing the pod name and namespace where the event occurred.
To make this policy active, you’d apply it to your Tetragon agent:
kubectl apply -f detect-bash-exec.yaml
Now, if a pod in your cluster attempts to run /bin/bash, Tetragon will catch it. You can see the events in the Tetragon audit log, which is typically exposed as a Kubernetes ConfigMap or a dedicated log file on the node.
kubectl logs -n kube-system -l k8s-app=tetragon -c tetragon -f | grep "Suspicious /bin/bash execution detected"
You’ll see output like this:
<timestamp> time="<timestamp>" level=info msg="Suspicious /bin/bash execution detected in pod my-app-pod-xyz12 (namespace default)" pid=12345 proc_name="sh" syscall=execve parent_pid=6789 parent_proc_name="kubectl"
This tells you that a process named sh (likely invoked by kubectl exec) tried to execute /bin/bash within the my-app-pod-xyz12 pod in the default namespace. The pid and parent_pid help you trace the execution flow.
Tetragon works by leveraging eBPF (extended Berkeley Packet Filter) programs that are loaded directly into the Linux kernel. These eBPF programs can hook into various kernel tracepoints and kprobes, allowing them to observe system calls, network events, and other kernel activities with minimal overhead. Tetragon compiles your high-level policies into these eBPF programs, manages their lifecycle, and collects the resulting events.
The core of Tetragon’s power lies in its ability to define granular rules based on a rich set of event types and conditions. You can match on syscall names, arguments (both by index and by type, like string, integer, or pointer), process relationships (parent/child), and even network socket properties. This allows you to build highly specific detection logic that goes far beyond simple log aggregation.
When a rule matches, Tetragon can perform various actions: log the event with custom metadata, terminate the offending process, or even inject code into the process. This flexibility makes it a powerful tool for both real-time threat detection and runtime security enforcement.
The most surprising thing is how Tetragon can correlate events across different parts of the system. For example, you can write a policy that triggers only if a specific network connection is established and a particular syscall is made within a short time frame, all without requiring any application-level instrumentation. This cross-component visibility is a direct result of eBPF’s ability to observe events deep within the kernel before they even reach userspace.
What most people don’t realize is that Tetragon’s event filtering and action logic are executed within the kernel by the eBPF programs themselves. This means that only the events you explicitly care about are passed up to userspace for further processing, dramatically reducing the performance impact and the volume of data you need to handle. You’re not just watching everything and filtering later; the filtering is happening at the source.
Once you’ve mastered event detection and logging, the next logical step is to explore Tetragon’s capabilities for runtime enforcement, like automatically killing suspicious processes or even preventing them from executing entirely.