explaingit

cilium/tetragon

4,662CAudience · ops devopsComplexity · 4/5LicenseSetup · hard

TLDR

A security monitoring tool that watches process, file, and network activity inside Linux systems and Kubernetes clusters at the kernel level using eBPF, and can block suspicious activity in real time.

Mindmap

mindmap
  root((Tetragon))
    What it does
      Process monitoring
      File access tracking
      Network monitoring
      Real-time blocking
    How it works
      eBPF in Linux kernel
      No app modification
    Kubernetes features
      Namespace awareness
      Pod-level rules
    Use cases
      Security auditing
      Threat detection
      Compliance logging
    License
      Apache 2.0 main
      GPL kernel parts
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Monitor which processes start and what network connections they open in a Kubernetes cluster without modifying any running applications.

USE CASE 2

Write rules to block a specific container from accessing sensitive files or making unauthorized network connections in real time.

USE CASE 3

Generate enriched security audit logs that link system-level events to the exact Kubernetes pod and namespace that caused them.

Tech stack

GoCeBPFKubernetesDocker

Getting it running

Difficulty · hard Time to first run · 1h+

Requires a running Kubernetes cluster and Helm, full enforcement features need a Linux kernel that supports the required eBPF capabilities.

Licensing varies by component: Apache 2.0 for the main project (permissive), BSD for some parts, and GPL for kernel components which require sharing changes to those parts.

In plain English

Tetragon is a security monitoring tool for Linux systems and Kubernetes clusters. Its job is to watch what is happening inside a running system at a very deep level: which programs are being started or stopped, which files are being read or written, and what network connections are being made. When it detects activity that matches a security rule, it can either record the event or actively block it in real time. The technology behind this is called eBPF, which is a way to run small inspection programs directly inside the Linux kernel, the core of the operating system. Because these programs run at the kernel level, they can observe activity that would be invisible to tools sitting higher up in the software stack. There is no need to modify the applications being monitored or install agents inside them. When running in a Kubernetes environment, which is a system for running many containerized applications across multiple servers, Tetragon understands Kubernetes concepts like namespaces and pods. This means you can write rules tied to a specific application or workload, rather than just to a machine. For example, you could monitor one service for unusual file access without that rule affecting other services running on the same server. The events Tetragon produces are enriched with context from both Linux and Kubernetes, so a security team reviewing logs can see not just what happened at the system level but also which application and which part of the cluster was involved. Out of the box it records process start and exit events. More advanced rules can be added to trace specific kernel functions, system calls, or user-space functions. Tetragon is part of the Cilium project, an open source networking and security project for Kubernetes. It is available under Apache 2.0, BSD, and GPL licenses depending on the component.

Copy-paste prompts

Prompt 1
How do I install Tetragon in a Kubernetes cluster using Helm and start seeing process execution events?
Prompt 2
How do I write a Tetragon TracingPolicy to monitor file access for a specific Kubernetes workload?
Prompt 3
How do I use Tetragon to block a container from making outbound network connections to unexpected IP addresses?
Prompt 4
What does Tetragon's eBPF-based monitoring look like compared to traditional agent-based security tools, and what are the tradeoffs?
Open on GitHub → Explain another repo

← cilium on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.