finds.dev← search

// the find

cilium/tetragon

★ 4,784 · C · Apache-2.0 · updated Jun 2026

eBPF-based Security Observability and Runtime Enforcement

Tetragon is a Kubernetes-native security observability and enforcement tool that hooks into the Linux kernel via eBPF to watch process execution, syscalls, and network/file I/O in real time. It sits in the Cilium ecosystem and is aimed at platform security teams who need runtime threat detection with Kubernetes context attached — pod name, namespace, and workload identity baked into every event. This is not a SIEM replacement; it's a kernel-level event source that feeds into one.

The Kubernetes-awareness is genuinely useful — most eBPF observability tools give you raw kernel events and leave joining them to k8s metadata as your problem. Tetragon solves that at the source. TracingPolicy is a well-designed abstraction: you write a CRD that describes what kernel hooks to attach and what actions to take, and Tetragon handles the BPF program lifecycle without requiring you to write C. The gRPC event stream API with protobuf types is clean and easy to consume from any language. The USERS.md file lists real production adopters, which is a meaningful signal for a project this low in the stack — indicates it survives contact with real workloads.

The enforcement story is limited compared to the observability story — you can send SIGKILL on a policy match, but more nuanced responses (rate limiting, sandboxing, conditional allow) aren't there yet. The BPF programs are written in C and vendored into the Go project, which means contributing to the actual detection logic requires eBPF C expertise most Go/platform engineers don't have. The project requires a relatively modern kernel (5.4+ for most features, 5.10+ for some enforcement capabilities), which cuts out anyone still running older distros in production. Documentation is decent at the happy path but thin on tuning — if your event volume is high you'll be on your own figuring out ring buffer sizing and CPU overhead.

View on GitHub → Homepage ↗

// want more like this?

We dig through GitHub every week and send a few repos picked for what you actually care about — each with an honest take like this one.

Get finds in your inbox → Search again →