> ## Documentation Index
> Fetch the complete documentation index at: https://docs.coreweave.com/llms.txt
> Use this file to discover all available pages before exploring further.

# eBPF security observability with Cilium Tetragon

> Real-time Kubernetes security observability with eBPF and Cilium Tetragon on CKS

This tutorial demonstrates how to use extended Berkeley Packet Filter (eBPF) with Cilium Tetragon for real-time security observability and runtime enforcement within Kubernetes on CoreWeave Kubernetes Service (CKS). By the end, you have Tetragon installed on a CKS cluster, an audit policy applied to monitor process execution, and a live stream of security events you can use for auditing, compliance, and runtime threat detection. This guide is for cluster operators and security engineers who need visibility into container and process behavior on CKS.

## Background

CoreWeave reinforces network security and observability at multiple levels: programmable hardware (BlueField-3 DPUs), CNI plugins like Cilium (with eBPF), and runtime tools such as Cilium Tetragon for process-level enforcement and monitoring. This approach provides workload isolation, auditability, and real-time detection without the performance overhead of virtualized environments.

### Purpose

* **Security observability**: When you configure Tetragon with eBPF, you gain insight into security events and anomalies within your Kubernetes clusters. Tetragon provides runtime visibility into container behavior and can track specific system calls, such as `execve`, to provide an auditable trail of process executions.
* **Auditing and compliance**: This setup helps you ensure compliance with security policies by showing which operations run within your cluster, which strengthens your security posture.

## Prerequisites

* A CoreWeave Kubernetes Service (CKS) cluster is in place.
* Helm is installed to manage Kubernetes packages.
* Cilium is installed on your CKS cluster (installed by default).
* Tetragon version 0.11 or newer.
* Linux kernel version 5.8 or later on your Nodes (required for Tetragon support).

## Configuration steps

### Add and install Tetragon through Helm

Tetragon provides the eBPF-based runtime monitoring agent that runs as a DaemonSet on every Node. Add the Cilium Helm chart repository and install Tetragon in your cluster's `kube-system` namespace.

```bash theme={"system"}
helm repo add cilium https://helm.cilium.io/
helm repo update
helm install tetragon cilium/tetragon \
  --namespace kube-system \
  --create-namespace
```

After the install completes, Tetragon schedules Pods as a DaemonSet across your cluster Nodes.

### Verify the DaemonSet and logs

Before you apply policies, confirm Tetragon is running correctly.

```bash theme={"system"}
kubectl -n kube-system get pods -l app.kubernetes.io/name=tetragon
kubectl -n kube-system logs -l app.kubernetes.io/name=tetragon
```

### Enable audit policies

Audit policies specify which kernel events Tetragon observes. This example monitors process execution events so you can build an auditable trail of commands run inside your cluster.

1. Create an example policy file (for example, `exec-policy.yaml`):

   ```yaml title="exec-policy.yaml" theme={"system"}
   apiVersion: cilium.io/v1alpha1
   kind: TracingPolicy
   metadata:
     name: exec-audit
   spec:
     kprobes:
     - call: execve
       syscall: true
       args:
       - index: 0
         type: string
       returnArg: true
   ```

2. Apply the policy:

   ```bash theme={"system"}
   kubectl apply -f exec-policy.yaml
   ```

### View security events

After you apply the policy, Tetragon emits an event each time a matching syscall occurs. Stream Tetragon audits and alerts in real time:

```bash theme={"system"}
kubectl logs -n kube-system -l app.kubernetes.io/name=tetragon -f
```

## Test the policy

Confirm that policy events reach the log stream by generating activity that the policy captures:

```bash theme={"system"}
# Run a simple command that triggers exec events
kubectl exec -n kube-system -it deployment/coredns -- /bin/sh -c "ls"

# Check if the event appears in Tetragon logs
kubectl logs -n kube-system -l app.kubernetes.io/name=tetragon --tail=20
```

You see JSON-formatted events that show the `execve` syscall details, including the command path, arguments, and container context.

## Customize policies

After the base policy works, you can scope monitoring to the events most relevant to your security posture. The example `exec-policy.yaml` monitors all process executions. You can create more targeted policies:

| Policy type              | Configuration              | Use case                                      |
| ------------------------ | -------------------------- | --------------------------------------------- |
| **Specific binaries**    | Add `path: "/usr/bin/apt"` | Track package installations                   |
| **Namespace filtering**  | Use `namespaceSelector`    | Limit monitoring scope to specific namespaces |
| **File access tracking** | Monitor `openat` syscalls  | Detect access to sensitive files              |
| **Network monitoring**   | Track `connect` syscalls   | Monitor network connections                   |

Custom policies use CoreWeave's DPU-accelerated eBPF processing for low performance impact while providing runtime visibility into your AI workloads.
