eBPF security observability with Cilium Tetragon

This tutorial demonstrates how to use extended Berkeley Packet Filter (eBPF) with Cilium Tetragon for real-time security observability and runtime enforcement within Kubernetes on CoreWeave Kubernetes Service (CKS). By the end, you have Tetragon installed on a CKS cluster, an audit policy applied to monitor process execution, and a live stream of security events you can use for auditing, compliance, and runtime threat detection. This guide is for cluster operators and security engineers who need visibility into container and process behavior on CKS.

Background

CoreWeave reinforces network security and observability at multiple levels: programmable hardware (BlueField-3 DPUs), CNI plugins like Cilium (with eBPF), and runtime tools such as Cilium Tetragon for process-level enforcement and monitoring. This approach provides workload isolation, auditability, and real-time detection without the performance overhead of virtualized environments.

Purpose

Security observability: When you configure Tetragon with eBPF, you gain insight into security events and anomalies within your Kubernetes clusters. Tetragon provides runtime visibility into container behavior and can track specific system calls, such as execve, to provide an auditable trail of process executions.
Auditing and compliance: This setup helps you ensure compliance with security policies by showing which operations run within your cluster, which strengthens your security posture.

Prerequisites

A CoreWeave Kubernetes Service (CKS) cluster is in place.
Helm is installed to manage Kubernetes packages.
Cilium is installed on your CKS cluster (installed by default).
Tetragon version 0.11 or newer.
Linux kernel version 5.8 or later on your Nodes (required for Tetragon support).

Configuration steps

Add and install Tetragon through Helm

Tetragon provides the eBPF-based runtime monitoring agent that runs as a DaemonSet on every Node. Add the Cilium Helm chart repository and install Tetragon in your cluster’s kube-system namespace.

helm repo add cilium https://helm.cilium.io/
helm repo update
helm install tetragon cilium/tetragon \
  --namespace kube-system \
  --create-namespace

After the install completes, Tetragon schedules Pods as a DaemonSet across your cluster Nodes.

Verify the DaemonSet and logs

Before you apply policies, confirm Tetragon is running correctly.

kubectl -n kube-system get pods -l app.kubernetes.io/name=tetragon
kubectl -n kube-system logs -l app.kubernetes.io/name=tetragon

Enable audit policies

Audit policies specify which kernel events Tetragon observes. This example monitors process execution events so you can build an auditable trail of commands run inside your cluster.

Create an example policy file (for example, exec-policy.yaml):

exec-policy.yaml

apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: exec-audit
spec:
  kprobes:
  - call: execve
    syscall: true
    args:
    - index: 0
      type: string
    returnArg: true

Apply the policy:
```
kubectl apply -f exec-policy.yaml
```

View security events

After you apply the policy, Tetragon emits an event each time a matching syscall occurs. Stream Tetragon audits and alerts in real time:

kubectl logs -n kube-system -l app.kubernetes.io/name=tetragon -f

Test the policy

Confirm that policy events reach the log stream by generating activity that the policy captures:

# Run a simple command that triggers exec events
kubectl exec -n kube-system -it deployment/coredns -- /bin/sh -c "ls"

# Check if the event appears in Tetragon logs
kubectl logs -n kube-system -l app.kubernetes.io/name=tetragon --tail=20

You see JSON-formatted events that show the execve syscall details, including the command path, arguments, and container context.

Customize policies

After the base policy works, you can scope monitoring to the events most relevant to your security posture. The example exec-policy.yaml monitors all process executions. You can create more targeted policies:

Policy type	Configuration	Use case
Specific binaries	Add `path: "/usr/bin/apt"`	Track package installations
Namespace filtering	Use `namespaceSelector`	Limit monitoring scope to specific namespaces
File access tracking	Monitor `openat` syscalls	Detect access to sensitive files
Network monitoring	Track `connect` syscalls	Monitor network connections

Custom policies use CoreWeave’s DPU-accelerated eBPF processing for low performance impact while providing runtime visibility into your AI workloads.

​Background

​Purpose

​Prerequisites

​Configuration steps

​Add and install Tetragon through Helm

​Verify the DaemonSet and logs

​Enable audit policies

​View security events

​Test the policy

​Customize policies