eBPF Security Observability with Cilium Tetragon
Real-time Kubernetes security observability with eBPF and Cilium Tetragon on CKS
This tutorial demonstrates how to use eBPF (extended Berkeley Packet Filter) with Cilium Tetragon for real-time security observability and runtime enforcement within Kubernetes on CoreWeave Kubernetes Service (CKS).
Background
CoreWeave reinforces network security and observability at multiple levels: using programmable hardware (BlueField-3 DPUs), advanced CNI plugins like Cilium (with eBPF), and runtime tools such as Cilium Tetragon for process-level enforcement and monitoring. This approach provides strong workload isolation, robust auditability, and real-time detection without the performance overhead of virtualized environments.
Purpose
- Enhanced Security Observability: By configuring Tetragon with eBPF, you can gain deep insights into security events and anomalies within your Kubernetes clusters. Tetragon enables runtime visibility into the behavior of containers and can track specific system calls, such as
execve, to provide an auditable trail of process executions. - Auditing and Compliance: This setup helps organizations ensure compliance with security policies by allowing them to see exactly what operations are being performed within their cluster, thereby bolstering their overall security posture.
Prerequisites
- Ensure a CKS (CoreWeave Kubernetes Service) Cluster is in place.
- Helm is installed for managing Kubernetes packages.
- Cilium installed on your CKS Cluster (installed by default).
- Tetragon version 0.11 or newer.
- Linux kernel version 5.8+ on your Nodes (required for Tetragon support).
Configuration steps
Add and install Tetragon through Helm
Add the Cilium Helm chart repository and install Tetragon in your cluster's kube-system namespace:
$helm repo add cilium https://helm.cilium.io/$helm repo update$helm install tetragon cilium/tetragon \--namespace kube-system \--create-namespace
Verify the DaemonSet and logs
Confirm Tetragon is running correctly:
$kubectl -n kube-system get pods -l app.kubernetes.io/name=tetragon$kubectl -n kube-system logs -l app.kubernetes.io/name=tetragon
Enable audit policies
Create an example audit policy to monitor process execution events:
-
Create an example policy file (e.g.,
exec-policy.yaml):exec-policy.yamlapiVersion: cilium.io/v1alpha1kind: TracingPolicymetadata:name: exec-auditspec:kprobes:- call: execvesyscall: trueargs:- index: 0type: stringreturnArg: true -
Apply the policy:
Example$kubectl apply -f exec-policy.yaml
View security events
Stream Tetragon audits and alerts in real-time:
$kubectl logs -n kube-system -l app.kubernetes.io/name=tetragon -f
Test the policy
To verify your exec monitoring is working, create some test activity:
# Run a simple command that will trigger exec events$kubectl exec -n kube-system -it deployment/coredns -- /bin/sh -c "ls"# Check if the event appears in Tetragon logs$kubectl logs -n kube-system -l app.kubernetes.io/name=tetragon --tail=20
You should see JSON-formatted events showing the execve syscall details, including the command path, arguments, and container context.
Customizing policies
The example exec-policy.yaml monitors all process executions. You can create more targeted policies by:
| Policy Type | Configuration | Use Case |
|---|---|---|
| Specific binaries | Add path: "/usr/bin/apt" | Track package installations |
| Namespace filtering | Use namespaceSelector | Limit monitoring scope to specific namespaces |
| File access tracking | Monitor openat syscalls | Detect access to sensitive files |
| Network monitoring | Track connect syscalls | Monitor network connections |
Custom policies leverage CoreWeave's DPU-accelerated eBPF processing for minimal performance impact while providing detailed runtime visibility into your AI workloads.