whatisgithub

What is tetragon?

cilium/tetragon — explained in plain English

Analysis updated 2026-06-26

4,662CAudience · ops devopsComplexity · 4/5LicenseSetup · hard

In one sentence

A security monitoring tool that watches process, file, and network activity inside Linux systems and Kubernetes clusters at the kernel level using eBPF, and can block suspicious activity in real time.

Mindmap

mindmap
  root((Tetragon))
    What it does
      Process monitoring
      File access tracking
      Network monitoring
      Real-time blocking
    How it works
      eBPF in Linux kernel
      No app modification
    Kubernetes features
      Namespace awareness
      Pod-level rules
    Use cases
      Security auditing
      Threat detection
      Compliance logging
    License
      Apache 2.0 main
      GPL kernel parts
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Monitor which processes start and what network connections they open in a Kubernetes cluster without modifying any running applications.

USE CASE 2

Write rules to block a specific container from accessing sensitive files or making unauthorized network connections in real time.

USE CASE 3

Generate enriched security audit logs that link system-level events to the exact Kubernetes pod and namespace that caused them.

What is it built with?

GoCeBPFKubernetesDocker

How does it compare?

cilium/tetragonattractivechaos/klibmicrosoft/procmon-for-linux
Stars4,6624,6614,675
LanguageCCC
Setup difficultyhardeasymoderate
Complexity4/53/53/5
Audienceops devopsdeveloperdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · hard Time to first run · 1h+

Requires a running Kubernetes cluster and Helm, full enforcement features need a Linux kernel that supports the required eBPF capabilities.

Licensing varies by component: Apache 2.0 for the main project (permissive), BSD for some parts, and GPL for kernel components which require sharing changes to those parts.

So what is it?

Tetragon is a security monitoring tool for Linux systems and Kubernetes clusters. Its job is to watch what is happening inside a running system at a very deep level: which programs are being started or stopped, which files are being read or written, and what network connections are being made. When it detects activity that matches a security rule, it can either record the event or actively block it in real time. The technology behind this is called eBPF, which is a way to run small inspection programs directly inside the Linux kernel, the core of the operating system. Because these programs run at the kernel level, they can observe activity that would be invisible to tools sitting higher up in the software stack. There is no need to modify the applications being monitored or install agents inside them. When running in a Kubernetes environment, which is a system for running many containerized applications across multiple servers, Tetragon understands Kubernetes concepts like namespaces and pods. This means you can write rules tied to a specific application or workload, rather than just to a machine. For example, you could monitor one service for unusual file access without that rule affecting other services running on the same server. The events Tetragon produces are enriched with context from both Linux and Kubernetes, so a security team reviewing logs can see not just what happened at the system level but also which application and which part of the cluster was involved. Out of the box it records process start and exit events. More advanced rules can be added to trace specific kernel functions, system calls, or user-space functions. Tetragon is part of the Cilium project, an open source networking and security project for Kubernetes. It is available under Apache 2.0, BSD, and GPL licenses depending on the component.

Copy-paste prompts

Prompt 1
How do I install Tetragon in a Kubernetes cluster using Helm and start seeing process execution events?
Prompt 2
How do I write a Tetragon TracingPolicy to monitor file access for a specific Kubernetes workload?
Prompt 3
How do I use Tetragon to block a container from making outbound network connections to unexpected IP addresses?
Prompt 4
What does Tetragon's eBPF-based monitoring look like compared to traditional agent-based security tools, and what are the tradeoffs?

Frequently asked questions

What is tetragon?

A security monitoring tool that watches process, file, and network activity inside Linux systems and Kubernetes clusters at the kernel level using eBPF, and can block suspicious activity in real time.

What language is tetragon written in?

Mainly C. The stack also includes Go, C, eBPF.

What license does tetragon use?

Licensing varies by component: Apache 2.0 for the main project (permissive), BSD for some parts, and GPL for kernel components which require sharing changes to those parts.

How hard is tetragon to set up?

Setup difficulty is rated hard, with roughly 1h+ to a first successful run.

Who is tetragon for?

Mainly ops devops.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.