This tutorial demonstrates how to use eBPF (extended Berkeley Packet Filter) with Cilium Tetragon for real-time security observability and runtime enforcement within Kubernetes on CoreWeave Kubernetes Service (CKS).
Background
CoreWeave reinforces network security and observability at multiple levels: using programmable hardware (BlueField-3 DPUs), advanced CNI plugins like Cilium (with eBPF), and runtime tools such as Cilium Tetragon for process-level enforcement and monitoring. This approach provides strong workload isolation, robust auditability, and real-time detection without the performance overhead of virtualized environments.
Purpose
- Enhanced Security Observability: By configuring Tetragon with eBPF, you can gain deep insights into security events and anomalies within your Kubernetes clusters. Tetragon enables runtime visibility into the behavior of containers and can track specific system calls, such as
execve, to provide an auditable trail of process executions.
- Auditing and Compliance: This setup helps you ensure compliance with security policies by showing exactly what operations run within your cluster, strengthening your overall security posture.
Prerequisites
- Ensure a CKS (CoreWeave Kubernetes Service) Cluster is in place.
- Helm is installed for managing Kubernetes packages.
- Cilium installed on your CKS Cluster (installed by default).
- Tetragon version 0.11 or newer.
- Linux kernel version 5.8+ on your Nodes (required for Tetragon support).
Configuration steps
Add and install Tetragon through Helm
Add the Cilium Helm chart repository and install Tetragon in your cluster’s kube-system namespace:
helm repo add cilium https://helm.cilium.io/
helm repo update
helm install tetragon cilium/tetragon \
--namespace kube-system \
--create-namespace
Verify the DaemonSet and logs
Confirm Tetragon is running correctly:
kubectl -n kube-system get pods -l app.kubernetes.io/name=tetragon
kubectl -n kube-system logs -l app.kubernetes.io/name=tetragon
Enable audit policies
Create an example audit policy to monitor process execution events:
-
Create an example policy file (e.g.,
exec-policy.yaml):
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: exec-audit
spec:
kprobes:
- call: execve
syscall: true
args:
- index: 0
type: string
returnArg: true
-
Apply the policy:
$ kubectl apply -f exec-policy.yaml
View security events
Stream Tetragon audits and alerts in real-time:
kubectl logs -n kube-system -l app.kubernetes.io/name=tetragon -f
Test the policy
To verify your exec monitoring is working, create some test activity:
# Run a simple command that will trigger exec events
kubectl exec -n kube-system -it deployment/coredns -- /bin/sh -c "ls"
# Check if the event appears in Tetragon logs
kubectl logs -n kube-system -l app.kubernetes.io/name=tetragon --tail=20
execve syscall details, including the command path, arguments, and container context.
Customizing policies
The example exec-policy.yaml monitors all process executions. You can create more targeted policies by:
| Policy Type | Configuration | Use Case |
|---|
| Specific binaries | Add path: "/usr/bin/apt" | Track package installations |
| Namespace filtering | Use namespaceSelector | Limit monitoring scope to specific namespaces |
| File access tracking | Monitor openat syscalls | Detect access to sensitive files |
| Network monitoring | Track connect syscalls | Monitor network connections |
Last modified on April 20, 2026
