One of the best ways to properly secure a cloud-native environment is to have full visibility, and that begins at the Linux kernel level. That’s one of the basic ideas behind the open-source Tetragon project, which celebrated its 1.0 release at the Kubecon NA 2023 event this week.

Tetragon is part of the larger Cilium project, which uses the eBPF (extended Berkeley Packet Filter) technology that is integrated into the Linux kernel. With eBPF, users get very precise packet-level data activity in a Linux-based system. Cilium extends eBPF specifically to provide visibility, with a focus on cloud-native Kubernetes deployments. Tetragon goes a step further by providing a powerful runtime security layer.

“Tetragon is designed to be a runtime security layer for Kubernetes platforms featuring transparency to applications, minimal overhead and simple usage,” Thomas Graf, Cilium creator and CTO and cofounder at Isovalent, told SDxCentral. “The primary use cases for Tetragon are to provide security observability and to enforce security policies with the purpose of threat mitigation and implementing zero-trust runtime security postures. ”

Tetragon use cases were driven by users

In a session at KubeCon, Natalia Reka Ivanko, security product lead, and John Fastabend software engineer, both at Isovalent, detailed the history and capabilities of Tetragon.

Ivanko said the project got its start in 2020 as part of the commercial Cilium Enterprise product. The technology became open source in 2022, with the 1.0 GA happening in November 2023. Among the main use cases for Tetragon from the outset are execution monitoring, file access monitoring, network monitoring and policy enforcement.

The evolution of Tetragon has been heavily influenced by its users. Ivanko said early-stage users included Palantir, GitHub and Bell. Palantir actually wrote a blog detailing its use of Tetragon (before it was open source under the Tetragon name).

The early users helped to drive an expanded set of capabilities including robust network security with the ability to observe all network connections. Runtime security enforcement in Tetragon was expanded with capabilities to execute policies based on observed traffic.

Ivanko noted that in the midstage of Tetragon’s existence big users included Nationwide insurance, Ripple and Roche. For those users there was a need for better user experience and to that end a wide array of dashboards were added to the technology.

Where Tetragon is headed

Adding security enforcement to any technology always raises questions about the cost in terms of application performance.

Fastabend noted that the system resource overhead with Tetragon is quite small and can be less than 2% in many situations. Fastabend emphasized that while there are many different ways to do runtime security in a cloud-native environment, having kernel-level observability provides more control than other options.

“Syscalls [system calls] are just the top layer that the user interfaces with; if you want to know about the socket state, if you want to know about the TCP state of the machine, if you want to know what’s going on in your networking on the OS side, you really need to dig into the kernel,” he said. “And so, Tetragon has the ability to hook almost any function in the kernel, syscalls included, but not limited to syscalls.”

Fastabend noted that Tetragon is now being used to help develop and maintain software bills of materials (SBOMs) for operations, as the technology provides highly detailed information about all network connections. He also expects that there will be even more types of dashboards for visibility added in the future.

“We’ve done a lot of work to get to 1.0, but there’s just a ton more stuff to do that’s super interesting,” he said.