Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.coreweave.com/llms.txt

Use this file to discover all available pages before exploring further.

This tutorial demonstrates how to use eBPF (extended Berkeley Packet Filter) with Cilium Tetragon for real-time security observability and runtime enforcement within Kubernetes on CoreWeave Kubernetes Service (CKS).

Background

CoreWeave reinforces network security and observability at multiple levels: using programmable hardware (BlueField-3 DPUs), advanced CNI plugins like Cilium (with eBPF), and runtime tools such as Cilium Tetragon for process-level enforcement and monitoring. This approach provides strong workload isolation, robust auditability, and real-time detection without the performance overhead of virtualized environments.

Purpose

  • Enhanced Security Observability: By configuring Tetragon with eBPF, you can gain deep insights into security events and anomalies within your Kubernetes clusters. Tetragon enables runtime visibility into the behavior of containers and can track specific system calls, such as execve, to provide an auditable trail of process executions.
  • Auditing and Compliance: This setup helps you ensure compliance with security policies by showing exactly what operations run within your cluster, strengthening your overall security posture.

Prerequisites

  • Ensure a CKS (CoreWeave Kubernetes Service) Cluster is in place.
  • Helm is installed for managing Kubernetes packages.
  • Cilium installed on your CKS Cluster (installed by default).
  • Tetragon version 0.11 or newer.
  • Linux kernel version 5.8+ on your Nodes (required for Tetragon support).

Configuration steps

Add and install Tetragon through Helm

Add the Cilium Helm chart repository and install Tetragon in your cluster’s kube-system namespace: 
helm repo add cilium https://helm.cilium.io/
helm repo update
helm install tetragon cilium/tetragon \
  --namespace kube-system \
  --create-namespace

Verify the DaemonSet and logs

Confirm Tetragon is running correctly: 
kubectl -n kube-system get pods -l app.kubernetes.io/name=tetragon
kubectl -n kube-system logs -l app.kubernetes.io/name=tetragon

Enable audit policies

Create an example audit policy to monitor process execution events:
  1. Create an example policy file (e.g., exec-policy.yaml):
    exec-policy.yaml
    apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: exec-audit
spec:
  kprobes:
  - call: execve
    syscall: true
    args:
    - index: 0
      type: string
    returnArg: true
  2. Apply the policy: 
    $ kubectl apply -f exec-policy.yaml

View security events

Stream Tetragon audits and alerts in real-time: 
kubectl logs -n kube-system -l app.kubernetes.io/name=tetragon -f

Test the policy

To verify your exec monitoring is working, create some test activity: 
# Run a simple command that will trigger exec events
kubectl exec -n kube-system -it deployment/coredns -- /bin/sh -c "ls"

# Check if the event appears in Tetragon logs
kubectl logs -n kube-system -l app.kubernetes.io/name=tetragon --tail=20
You should see JSON-formatted events showing the execve syscall details, including the command path, arguments, and container context.

Customizing policies

The example exec-policy.yaml monitors all process executions. You can create more targeted policies by:
Policy TypeConfigurationUse Case
Specific binariesAdd path: "/usr/bin/apt"Track package installations
Namespace filteringUse namespaceSelectorLimit monitoring scope to specific namespaces
File access trackingMonitor openat syscallsDetect access to sensitive files
Network monitoringTrack connect syscallsMonitor network connections
Custom policies leverage CoreWeave’s DPU-accelerated eBPF processing for minimal performance impact while providing detailed runtime visibility into your AI workloads.
Last modified on April 20, 2026