Tetragon, through eBPF, has access to the Linux kernel state. Tetragon has created a set of tracing policies that can solve many common observabilityĪnd security use cases. Many of the Tetragon developers are also kernel developers. None of the specifics about which functions are tracedĪnd what filters are applied are hard-coded in the engine itself.Ĭritically, Tetragon allows hooking deep in the kernel where data structures can not be manipulatedīy user space applications avoiding common issues with syscall tracing whereĭata is incorrectly read, maliciously altered by attackers, or missing due to pageįaults and other user/kernel boundary errors. Then use to create new and specific policy deployments even potentially tracing kernelįunctions we did not consider. The examples are just that, jumping off points that users can Highlight some below in the 'Getting Started Guide', but users are encouraged to create new policies that We provide a number of examples for these in the repository and By writing tracing policies users can solve various Return value, associated metadata that Tetragon collects about processes (e.g., executable Tetragon can hook into any function in the Linux kernel and filter on its arguments, Specific context, and pass only those to the user-space agent. Instead, Tetragon provides rich filters (file, socket, binary names, namespace/capabilities,Įtc.) in eBPF, which allows users to specify the important and relevant events in their
By avoiding expensive context switching and wake-ups, especiallyįor high frequency events, such as send, read, or write operations, eBPF reduces required It performs the filtering,īlocking, and reacting to events directly in the kernel instead of sendingįor an observability use case, applying filters directly in the kernel drastically reduces
Policy and filtering directly in eBPF in the kernel. Tetragon is a runtime security enforcement and observability tool. Kubernetes identities such as namespaces, pods and so-on - so that security event detectionĬan be configured in relation to individual workloads. When used in a Kubernetes environment, Tetragon is Kubernetes-aware - that is, it understands I/O activity including network & file access.Tetragon detects and is able to react to security-significant events, such as Cilium’s new Tetragon component enables powerful realtime, eBPF-based Security Observability and
0 kommentar(er)
