> ## Documentation Index > Fetch the complete documentation index at: https://docs.coreweave.com/llms.txt > Use this file to discover all available pages before exploring further. # eBPF Security Observability with Cilium Tetragon > Real-time Kubernetes security observability with eBPF and Cilium Tetragon on CKS This tutorial demonstrates how to use eBPF (extended Berkeley Packet Filter) with Cilium Tetragon for real-time security observability and runtime enforcement within Kubernetes on CoreWeave Kubernetes Service (CKS). ## Background CoreWeave reinforces network security and observability at multiple levels: using programmable hardware (BlueField-3 DPUs), advanced CNI plugins like Cilium (with eBPF), and runtime tools such as Cilium Tetragon for process-level enforcement and monitoring. This approach provides strong workload isolation, robust auditability, and real-time detection without the performance overhead of virtualized environments. ### Purpose * **Enhanced Security Observability**: By configuring Tetragon with eBPF, you can gain deep insights into security events and anomalies within your Kubernetes clusters. Tetragon enables runtime visibility into the behavior of containers and can track specific system calls, such as `execve`, to provide an auditable trail of process executions. * **Auditing and Compliance**: This setup helps you ensure compliance with security policies by showing exactly what operations run within your cluster, strengthening your overall security posture. ## Prerequisites * Ensure a CKS (CoreWeave Kubernetes Service) Cluster is in place. * Helm is installed for managing Kubernetes packages. * Cilium installed on your CKS Cluster (installed by default). * Tetragon version 0.11 or newer. * Linux kernel version 5.8+ on your Nodes (required for Tetragon support). ## Configuration steps ### Add and install Tetragon through Helm Add the Cilium Helm chart repository and install Tetragon in your cluster's `kube-system` namespace: ```bash theme={"system"} helm repo add cilium https://helm.cilium.io/ helm repo update helm install tetragon cilium/tetragon \ --namespace kube-system \ --create-namespace ``` ### Verify the DaemonSet and logs Confirm Tetragon is running correctly: ```bash theme={"system"} kubectl -n kube-system get pods -l app.kubernetes.io/name=tetragon kubectl -n kube-system logs -l app.kubernetes.io/name=tetragon ``` ### Enable audit policies Create an example audit policy to monitor process execution events: 1. Create an example policy file (e.g., `exec-policy.yaml`): ```yaml title="exec-policy.yaml" theme={"system"} apiVersion: cilium.io/v1alpha1 kind: TracingPolicy metadata: name: exec-audit spec: kprobes: - call: execve syscall: true args: - index: 0 type: string returnArg: true ``` 2. Apply the policy: ```bash theme={"system"} $ kubectl apply -f exec-policy.yaml ``` ### View security events Stream Tetragon audits and alerts in real-time: ```bash theme={"system"} kubectl logs -n kube-system -l app.kubernetes.io/name=tetragon -f ``` ## Test the policy To verify your exec monitoring is working, create some test activity: ```bash theme={"system"} # Run a simple command that will trigger exec events kubectl exec -n kube-system -it deployment/coredns -- /bin/sh -c "ls" # Check if the event appears in Tetragon logs kubectl logs -n kube-system -l app.kubernetes.io/name=tetragon --tail=20 ``` You should see JSON-formatted events showing the `execve` syscall details, including the command path, arguments, and container context. ## Customizing policies The example `exec-policy.yaml` monitors all process executions. You can create more targeted policies by: | Policy Type | Configuration | Use Case | | ------------------------ | -------------------------- | --------------------------------------------- | | **Specific binaries** | Add `path: "/usr/bin/apt"` | Track package installations | | **Namespace filtering** | Use `namespaceSelector` | Limit monitoring scope to specific namespaces | | **File access tracking** | Monitor `openat` syscalls | Detect access to sensitive files | | **Network monitoring** | Track `connect` syscalls | Monitor network connections | Custom policies leverage CoreWeave's DPU-accelerated eBPF processing for minimal performance impact while providing detailed runtime visibility into your AI workloads.