Tetragon
eBPF-based Security Observability and Runtime Enforcement
Cilium’s new [Tetragon](https://tetragon.io) component enables powerful real-time, eBPF-based Security Observability and Runtime Enforcement. The project is written primarily in C, distributed under the Apache License 2.0 license, first published in 2022. It has gained significant community traction with 4,749 stars and 560 forks on GitHub. Key topics include: bpf, ebpf, kernel, kubernetes, security.
Cilium’s new Tetragon component enables powerful
real-time, eBPF-based Security Observability and Runtime Enforcement.
Tetragon detects and is able to react to security-significant events, such as
- Process execution events
- System call activity
- I/O activity including network & file access
When used in a Kubernetes environment, Tetragon is Kubernetes-aware - that is,
it understands Kubernetes identities such as namespaces, pods and so on - so
that security event detection can be configured in relation to individual
workloads.
See more about how Tetragon is using eBPF.
Getting started
Refer to the official documentation of Tetragon.
To get started with Tetragon, take a look at the getting started
guides to:
Tetragon is able to observe critical hooks in the kernel through its sensors
and generates events enriched with Linux and Kubernetes metadata:
- Process lifecycle: generating
process_execandprocess_exitevents
by default, enabling full process lifecycle observability. Learn more about
these events on the process lifecycle use case page. - Generic tracing: generating
process_kprobe,process_tracepointand
process_uprobeevents for more advanced and custom use cases. Learn more
about these events on the TracingPolicy concept page
and discover multiple use cases like:
See further resources:
Join the community
Join the Tetragon 💬 Slack channel and the
📅 Community Call to chat with
developers, maintainers, and other users. This is a good first stop to ask
questions and share your experiences.
How to Contribute
For getting started with local development, you can refer to the
Contribution Guide. If
you plan to submit a PR, please "sign-off"
your commits.
Adopters
A list of adopters of the Tetragon project and who is deploying it in
production, and of their use cases, can be found in the
USERS.md file.
Contributors
Showing top 12 contributors by commit count.
![cilium-renovate[bot]](https://avatars.githubusercontent.com/in/339224?v=4)
Related Repositories
cilium/cilium
eBPF-based Networking, Security, and Observability
bpftrace/bpftrace
High-level tracing language for Linux
capstone-engine/capstone
Capstone disassembly/disassembler framework for ARM, ARM64 (ARMv8), Alpha, BPF, Ethereum VM, HPPA, LoongArch, M68K, M680X, Mips, MOS65XX, PPC, RISC-V(rv32G/rv64G), SH, Sparc, SystemZ, TMS320C64X, TriCore, Webassembly, XCore and X86.
qmonnet/awesome-ebpf
A curated list of awesome projects related to eBPF.
hengyoush/kyanos
Kyanos is a networking analysis tool using eBPF. It can visualize the time packets spend in the kernel, capture requests/responses, makes troubleshooting more efficient.
parca-dev/parca
Continuous profiling for analysis of CPU and memory usage, down to the line number and throughout time. Saving infrastructure cost, improving performance, and increasing reliability.