Tetragon is a security tool for Kubernetes that uses eBPF to apply policies and filters, reducing observation overhead, enabling process tracking, and enforcing policies in real-time.

Developed by the creators of Cilium and eBPF, Tetragon offers real-time security observability and enforcement using eBPF. It can detect and respond to important security events, including process execution, system calls, and I/O activity (network and file access). 

Tetragon is Kubernetes-aware, meaning it can recognize Kubernetes elements like namespaces and pods, allowing for tailored security event configuration for individual workloads.

Tetragon is a runtime security tool that applies policies and filters using eBPF directly in the kernel, avoiding the need for user-space agents. This approach reduces observation overhead, especially for high-frequency events like send, read, or write operations, the maintainers explain. Tetragon offers rich filtering options in eBPF, enabling users to specify and pass only relevant events to the user-space agent, improving efficiency and resource utilization.

Tetragon is a versatile tool that can intercept and filter any function within the Linux kernel, focusing on parameters, return values, and associated process data like executable names and file attributes, according to the creators of the project. 

Users can define their tracing policies to address various security and observability needs. While the repository provides some examples and a ‘Getting Started Guide,’ it encourages users to create custom policies tailored to their specific requirements, even tracing kernel functions not initially considered. Tetragon’s flexibility ensures that the choice of traced functions and applied filters is not hardcoded within the tool.

Tetragon enables deep kernel-level tracing, avoiding common issues encountered with syscall tracing, where data can be incorrectly read, maliciously manipulated, or missed due to user/kernel boundary errors like page faults. Many Tetragon developers are also experienced kernel developers, allowing the tool to offer a set of tracing policies that can effectively address common observability and security challenges.

Additional details on the project are available here.