Kubernetes / Observability / Security

Isovalent Open Sources Tetragon, eBPF-Based Observability Platform

16 Jun 2022 8:00am, by

How deep do you want to observe your systems? Would you like to peer all the way into the depths of the Linux kernel? If that sounds good to you, you’ll be happy to know that Isovalent, a company that incorporates networking, security, Kubernetes, and eBPF into its programs, recently open sourced Tetragon. It’s a very useful eBPF-based security observability and runtime enforcement platform.

You may not know its name, but Tetragon is not a new program. Isovalent has used it for years in its Isovalent Cilium Enterprise program. Cilium monitors network and runtime behavior with Kubernetes identity to provide a single source of data for cloud native forensics, audit, and compliance monitoring. In short, it works well.

By itself, Tetragon is a runtime security enforcement and observability tool. It enforces policy and filtering directly in eBPF in the kernel. It filters, blocks, and reacts to events directly in the kernel instead of sending events to a user space agent. That means it saves time and resources at a very low level.

Or, as Thomas Graf, Isovalent’s co-founder and CTO, put it, “Tetragon is a huge jump for extending it all the way down to low-level kernel visibility, bringing the ability to trace function calls, process execution, etc. all the way into kernel subsystem and gives platform and security teams a ton of advanced observability functionality. The OSS’ing of Tetragon is basically creating unlimited opportunities for observability ‘power user’ scenarios.”

For example, with Tetragon you can see into kernel subsystems. That means you can view namespace escapes, capability and privilege escalations, file system and data access, networking activity of protocols such as HTTP, DNS, TLS, and TCP, and even the system call layer to audit system call invocation and follow process execution.

More Than Observability

But Tetragon does more than just let you see what’s going on at a deep level. You can also affect it. Since Tetragon, via eBPF, has access to the Linux kernel state, it can join this kernel state with Kubernetes awareness or user policy to create rules enforced by the kernel in real-time. This allows annotating and enforcing process namespace and capabilities, sockets to processes, process file descriptor to filenames, and so on.

With this data, Tetragon can enforce security policies across the operating system by allowing lists for access control at several layers. Security policies can be injected via Kubernetes (CRDs), a JSON API, or systems such as Open Policy Agent (OPA).

None too shabby, eh?

Tetragon also comes with an agent that can natively integrate with modern observability and policy standards such as Kubernetes, Prometheus, fluentd, OpenTelemetry, Open Policy Agent, and traditional Security Information and Event Management (SIEM) platforms.

Of course, Isovalent would love it if you bought into Isovalent Cilium Enterprise, but honestly, by open sourcing Tetragon under the Apache 2 License, it’s given Linux-savvy developers and administrators all the tools they need to do remarkable work with their cloud native systems.

Featured image by Clker-Free-Vector-Images from Pixabay.