Runtime Enforcement

Prevent threats and enforce policies in real-time

Achieve threat prevention in cloud native environments while maintaining operational agility

Cloud native environments are often dynamic and distributed, requiring a security approach that encompasses detection and prevention. Observing and filtering events in user space can be resource-intensive and lead to blind spots in security monitoring, leaving systems vulnerable to attacks.

Tetragon Shield

Security Observability and Runtime Enforcement with Cilium’s Tetragon

Tetragon enables transparent security observability and real-time runtime enforcement through its eBPF-based technology. It provides deep visibility without requiring changes to the application and operates with low overhead through in-kernel filtering and aggregation logic built into the eBPF-based kernel-level collector. Tetragon's embedded runtime enforcement layer offers access control capabilities at various enforcement levels, including system call control.

Kubernetes-aware Real Time Enforcement

Tetragon is Kubernetes-aware, meaning it recognizes Kubernetes identities like namespaces and pods. This enables security event detection that can be tailored to individual workloads. Using eBPF, Tetragon can access the Linux kernel state and combine it with Kubernetes awareness and user policy to generate rules that are enforced by the kernel in real-time. This allows for capabilities like process namespace and capabilities annotation and enforcement, process file descriptor to filename association, and socket to process control.

identities with cilium

Who’s using Cilium’s Tetragon for Security Observability and Runtime Enforcement?

  • Integrating Tetragon for Secured Build Pipelines

    Factory for Repeatable Secure Creation of Artifacts (FRSCA) is utilizing tetragon integrated with Tekton to create runtime attestation to attest artifact and builder attributes.

  • Pollenating Build Attestations on Kubernetes with Tetragon and eBPF

    Attestagon is a Kubernetes controller that utilizes Tetragon to generate build provenance provenance for artifacts built inside Kubernetes pods

  • Hubble + Tetragon at Palantir

    Palantir utilizes Hubble and Tetragon for runtime enforcement and security observability in their Kubernetes clusters

Want to Learn More?

Join the Cilium Slack

Cilium is an open source project that anyone in the community can use, improve, and enjoy. We'd love you to join us on Slack! Find out what's happening and get involved.

Join the Slack

Read the Documentation

Cilium has extensive documentation that covers its features and use cases. The docs also features tutorials for common user stories.

Read the Docs

Get Help

Get help with Cilium through Slack, Github, training, support, and FAQs. The community can also help you tell or promote your story around Cilium.

Get Help